The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The 'scripts/install.sh' file and documentation in 'SETUP.md' promote the execution of 'curl -sSfL https://plannotator.ai/install.sh | sh'. This piped-to-shell pattern is a high-risk remote code execution vector that runs unverified content from a non-trusted external source directly in the user's environment.\n- [DATA_EXFILTRATION]: The 'scripts/phase-gate-review.sh' script reads user-created project documentation (PRDs, architecture drafts) and transmits the data to the external domain 'plannotator.ai' using the 'plannotator submit' command, which can lead to the unauthorized exposure of sensitive intellectual property or business logic to a third-party service.\n- [COMMAND_EXECUTION]: Multiple shell scripts, including 'init-project.sh' and 'phase-gate-review.sh', use 'sed' and other tools to perform string replacement on variables derived from file contents or filenames. These operations lack robust sanitization and are susceptible to command injection if the input strings contain malicious shell metacharacters.\n- [COMMAND_EXECUTION]: The installation script ('scripts/install.sh') configures a permanent hook in the agent's runtime environment (Claude Code ExitPlanMode). This mechanism establishes persistence for automated submission and review tasks, which increases the agent's autonomy and decreases the user's ability to review or intercept actions.\n- [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from various sources (defined as 'packets' in 'SKILL.md' Step 1). This untrusted content is then acted upon by the agent using powerful tools like Bash and Write without adequate protection. * Ingestion points: 'SKILL.md' (Packet intake) and 'scripts/phase-gate-review.sh' (reading document content). * Boundary markers: Absent; the instructions provide no delimiters or directives to ignore instructions embedded within the processed content. * Capability inventory: Bash, Write, Read, Grep, Glob. * Sanitization: None; document contents are passed directly to scripts and external tools without filtering or validation.

bmad