The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements high-risk command patterns by piping remote content from unverified sources directly to system shells. For example, scripts/install.sh executes curl -fsSL https://plannotator.ai/install.sh | bash.
[REMOTE_CODE_EXECUTION]: Instructions in SKILL.md command the agent to fetch content from http://localhost:4747/pending and pipe it directly to python3. This allows any local service or malicious actor capable of binding to port 4747 to execute arbitrary Python code on the host system.
[COMMAND_EXECUTION]: The skill makes extensive use of subprocess.run and os.system via Python one-liners to perform administrative tasks, including modifying global tool configuration files in ~/.claude/, ~/.codex/, and ~/.gemini/.
[EXTERNAL_DOWNLOADS]: The installation scripts download and install multiple global NPM packages (agent-browser, playwriter, agentation-mcp) and other binaries without cryptographic integrity verification.
[PROMPT_INJECTION]: The skill exhibits a critical Indirect Prompt Injection surface (Category 8).
Ingestion points: Untrusted feedback data is ingested from http://localhost:4747/pending and plan.md.
Boundary markers: Absent. The agent is instructed to read instructions directly from the data and apply them to the codebase.
Capability inventory: The skill has full file-system write access and shell execution capabilities through the provided toolset.
Sanitization: No validation or escaping of external content is performed before the agent uses the data to perform code modifications.
[REMOTE_CODE_EXECUTION]: The setup scripts (setup-claude.sh, setup-gemini.sh, etc.) install persistent 'hooks' into the AI agent's global configuration. These hooks are designed to automatically execute Python or Bash scripts distributed with the skill in response to agent events, creating a permanent execution vector within the agent's environment.

jeo