The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's master installation script (scripts/install.sh) downloads and executes shell scripts directly from https://plannotator.ai/install.sh and https://bun.sh/install by piping them to bash. This pattern allows for the execution of arbitrary, unverified code with user privileges.\n- [COMMAND_EXECUTION]: Multiple scripts, such as scripts/check-status.sh and scripts/plannotator-plan-loop.sh, use python3 -c or eval to execute dynamically generated strings, which increases the risk of command injection.\n- [DATA_EXPOSURE]: Setup scripts (scripts/setup-claude.sh, scripts/setup-codex.sh, scripts/setup-gemini.sh) read and modify sensitive local configuration files, including ~/.claude/settings.json, ~/.codex/config.toml, and ~/.gemini/settings.json.\n- [PROMPT_INJECTION]: The skill defines complex orchestration protocols that rely on the agent following specific, rigid instructions and state transitions. These instructions are designed to override the agent's default task processing logic.\n- [PROMPT_INJECTION]: Indirect prompt injection surface identified:\n
Ingestion points: Data is fetched from http://localhost:4747/pending in scripts/claude-agentation-submit-hook.py and scripts/setup-codex.sh.\n
Boundary markers: Absent; the ingested data is printed directly into the agent's context without delimiters.\n
Capability inventory: The agent has access to powerful tools including Bash, Write, Task, and Grep.\n
Sanitization: None; the comment field from the JSON response is printed to the agent's context without any escaping or validation.\n- [EXTERNAL_DOWNLOADS]: The skill attempts to install several external tools globally or via npx, including agent-browser, playwriter, agentation-mcp, oh-my-opencode, and oh-my-ag, from public registries without verifying specific versions or integrity hashes.

omg