skills/akillness/oh-my-unity3d/plannotator/Snyk

plannotator

Fail

Audited by Snyk on Mar 12, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.70). Although some links point to GitHub and the official Obsidian site, the presence of a direct installer script on an unvetted domain (https://plannotator.ai/install.sh) and a small/personal GitHub repo means running the provided shell installer without inspecting it is a potentially high-risk vector for malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The install script (scripts/install.sh) runs curl -fsSL https://plannotator.ai/install.sh | bash (and Windows equivalents irm https://plannotator.ai/install.ps1 | iex / curl ... https://plannotator.ai/install.cmd), which downloads and executes remote code at runtime, so https://plannotator.ai is a runtime external dependency that executes code.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

Mar 12, 2026, 07:25 AM

Issues

2