AgentReadyHomeAgent Listing

← hook-todo-collector

hook-todo-collector — agentic threat model

7.1AIVSS 7.1 · High

The hook-todo-collector poses moderate risk primarily due to its read access across the entire project repository, making it a vector for indirect prompt injection via malicious source code comments and potential data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.56Factor sum 1.6/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.00
Multi-Agent Interactions
0.20
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The plugin runs inside Claude Code. Threats include indirect prompt injection where malicious TODO/FIXME comments in source files reprogram the host model's behavior during scanning.

L2 · Data Operations✓ mapped

The plugin reads project source files to extract markers. Threat: Data exfiltration of proprietary source code or sensitive hardcoded secrets found during repository-wide scanning.

L3 · Agent Frameworks✓ mapped

It integrates as a Claude Code plugin triggered by workflow hooks. Threat: Insecure tool integration where malicious repository files manipulate the hook execution or exploit parser vulnerabilities during extraction.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Likely runs locally within the developer's terminal/environment where Claude Code is executed. Threat: If the host environment lacks sandboxing, a compromised plugin could access local files beyond the repository root.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in logging, guardrails, or anomaly detection are mentioned for this plugin. Threat: Blind spots in detecting malicious file reads or unauthorized data exfiltration.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No explicit authentication, authorization, or policy enforcement mechanisms are described. Threat: Lack of access controls allowing the plugin to read restricted files within the repository.

L7 · Agent Ecosystem✓ mapped

It acts as a plugin within the Claude Code agent ecosystem. Threat: A2A trust abuse where Claude Code implicitly trusts the output of this plugin, potentially leading to downstream execution of malicious tasks injected into the consolidated list.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).