plannotator
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
scripts/install.shscript downloads a payload from 'https://plannotator.ai/install.sh' and pipes it directly into the bash interpreter. This is a high-risk pattern that allows a remote server to execute arbitrary code on the host system without prior verification. - [EXTERNAL_DOWNLOADS]: The skill requires downloading external CLI tools and plugins from the plannotator.ai domain, which is not included in the trusted vendors list.
- [COMMAND_EXECUTION]: Multiple scripts perform persistent system modifications, including appending environment variables to shell profiles like
.zshrcand.bashrc. It also modifies AI agent configuration files in~/.claude/,~/.gemini/, and~/.codex/to register automated execution hooks. - [PROMPT_INJECTION]: The
scripts/setup-codex-hook.shscript injects new procedural instructions into the 'developer_instructions' field of the Codex configuration. This forces the agent to follow a specific plan-review workflow and interact with the plannotator tool for every task. - [DATA_EXFILTRATION]: The skill facilitates the transfer of agent-generated plans and code diffs to external applications like Obsidian and Bear. It also supports a custom share portal URL (share.plannotator.ai) which could potentially be used to upload sensitive project plans to an external server.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
Audit Metadata