The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/install.sh contains a command that downloads and executes code from a remote URL (https://plannotator.ai/install.sh) by piping it directly into the shell (| sh). This bypasses local security checks and allows for arbitrary code execution from a source outside the trusted vendor list.
[DATA_EXFILTRATION]: The skill is designed to read project documents such as PRDs, Technical Specifications, and Architecture designs and transmit them to the plannotator.ai service via its CLI. Because this domain is not a recognized trusted service, this behavior constitutes a risk of sensitive intellectual property being sent to an unverified third party.
[COMMAND_EXECUTION]: The installation process attempts to configure a persistence mechanism by setting up a 'Claude Code hook'. Specifically, it calls a setup script to integrate with the agent's ExitPlanMode. This modification ensures the skill's scripts are triggered automatically during the agent's workflow, maintaining a presence in the agent's operating environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
Ingestion points: The skill reads user-defined or agent-generated markdown files in the docs/ directory.
Boundary markers: No markers or delimiters are used to prevent the agent from interpreting instructions embedded within these documents as its own.
Capability inventory: The skill can execute shell commands (bash), write files (scripts/init-project.sh), and perform network operations via the plannotator CLI.
Sanitization: The content of the documents is not sanitized or escaped before being processed or passed to external tools.

bmad-orchestrator