The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/install.sh downloads and executes a shell script from https://plannotator.ai/install.sh by piping it directly to bash. This allows an external server to execute arbitrary commands on the local system without verification.
[REMOTE_CODE_EXECUTION]: The installation instructions for Windows recommend using irm https://plannotator.ai/install.ps1 | iex in PowerShell, which is an unverified remote script execution pattern that bypasses local policy checks.
[COMMAND_EXECUTION]: The scripts/configure-remote.sh script modifies user shell profiles such as .zshrc, .bashrc, or .profile to set persistent environment variables, establishing a mechanism for persistence across shell sessions.
[DATA_EXFILTRATION]: Several scripts access and modify sensitive application configuration files, including ~/.claude/settings.json, ~/.gemini/settings.json, and ~/.codex/config.toml, to inject hooks and potentially sensitive instructions.
[COMMAND_EXECUTION]: The setup scripts use inline Python code to dynamically read, merge, and write JSON and TOML configuration files on the host system, which could be exploited to manipulate the agent's environment.
[PROMPT_INJECTION]: The skill exhibits vulnerability to indirect prompt injection.
Ingestion points: Processes external plan markdown files and git diff outputs that may contain untrusted data.
Boundary markers: Absent; the skill does not use delimiters to isolate untrusted content from system instructions.
Capability inventory: Uses Bash and Write tools to modify configuration files and execute system commands.
Sanitization: Absent; the skill does not validate or sanitize input plans or diffs before processing them.

plannotator