The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/install.sh downloads an installation script from https://plannotator.ai/install.sh and pipes it directly to sh. This is a high-risk pattern that executes unverified remote code with the current user's permissions.
[EXTERNAL_DOWNLOADS]: The installation process involves downloading software from the domain plannotator.ai. This domain is not included in the trusted vendors list, and the fetch bypasses standard package manager verification.
[COMMAND_EXECUTION]: The skill heavily utilizes shell scripts (install.sh, init-project.sh, phase-gate-review.sh, check-status.sh) that invoke various system commands including chmod, mkdir, and sed. It also executes python3 to parse YAML data and the plannotator CLI to handle documents.
[DATA_EXFILTRATION]: In scripts/phase-gate-review.sh, the content of project documents (such as Product Requirements Documents or Architecture designs) is read and transmitted to the external plannotator.ai service. This results in the export of potentially sensitive project data to a third-party platform.
[PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface through its automated architect review feature (patterns/bmad_ssd_phase_review/system.md).
Ingestion points: Reads project documents from docs/*.md which can be influenced by users or external data.
Boundary markers: None identified; document content is appended directly after an "INPUT:" marker.
Capability inventory: The agent can execute shell commands, write files to the local filesystem, and perform network requests.
Sanitization: No evidence of sanitization or escaping was found for the document content before it is processed by the agent.

bmad-orchestrator