plannotator
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The install.sh script downloads and executes a shell script directly from https://plannotator.ai/install.sh using the curl piped to bash pattern. This is a high-risk operation involving unverified code execution from an external domain.
- [REMOTE_CODE_EXECUTION]: For Windows systems, the install.sh script directs users to run irm https://plannotator.ai/install.ps1 | iex in PowerShell, which is a functionally equivalent high-risk remote code execution pattern.
- [COMMAND_EXECUTION]: The configure-remote.sh script modifies user shell profiles such as .bashrc, .zshrc, and .profile to inject environment variables and persistent configuration logic.
- [COMMAND_EXECUTION]: Multiple integration scripts (setup-hook.sh, setup-gemini-hook.sh, setup-codex-hook.sh) modify global AI tool configuration files in the user home directory, including ~/.claude/settings.json, ~/.gemini/settings.json, and ~/.codex/config.toml.
- [PROMPT_INJECTION]: The skill processes untrusted agent-generated plan data from /tmp/plan.md. Ingestion points: scripts/setup-codex-hook.sh and scripts/setup-gemini-hook.sh. Boundary: Relies on human review in the visual UI. Capability: CLI execution. Sanitization: None beyond JSON serialization.
- [EXTERNAL_DOWNLOADS]: The skill downloads the plannotator CLI and configuration files from plannotator.ai, which is not a verified or trusted organization according to the established security policy.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata