hook-todo-collector — agentic threat model
The hook-todo-collector poses moderate risk primarily due to its read access across the entire project repository, making it a vector for indirect prompt injection via malicious source code comments and potential data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The plugin runs inside Claude Code. Threats include indirect prompt injection where malicious TODO/FIXME comments in source files reprogram the host model's behavior during scanning.
The plugin reads project source files to extract markers. Threat: Data exfiltration of proprietary source code or sensitive hardcoded secrets found during repository-wide scanning.
It integrates as a Claude Code plugin triggered by workflow hooks. Threat: Insecure tool integration where malicious repository files manipulate the hook execution or exploit parser vulnerabilities during extraction.
Not certain from the listing — Likely runs locally within the developer's terminal/environment where Claude Code is executed. Threat: If the host environment lacks sandboxing, a compromised plugin could access local files beyond the repository root.
Not certain from the listing — No built-in logging, guardrails, or anomaly detection are mentioned for this plugin. Threat: Blind spots in detecting malicious file reads or unauthorized data exfiltration.
Not certain from the listing — No explicit authentication, authorization, or policy enforcement mechanisms are described. Threat: Lack of access controls allowing the plugin to read restricted files within the repository.
It acts as a plugin within the Claude Code agent ecosystem. Threat: A2A trust abuse where Claude Code implicitly trusts the output of this plugin, potentially leading to downstream execution of malicious tasks injected into the consolidated list.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).