plannotator

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Although some links point to GitHub and the official Obsidian site, the presence of a direct installer script on an unvetted domain (https://plannotator.ai/install.sh) and a small/personal GitHub repo means running the provided shell installer without inspecting it is a potentially high-risk vector for malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's install instructions fetch and execute remote installer code at runtime (e.g., curl -fsSL https://plannotator.ai/install.sh | bash and irm https://plannotator.ai/install.ps1 | iex), which runs remote code required to install the CLI and hook into agent workflows.