Skills
skills/akillness/skills-template/plannotator/Gen Agent Trust Hub

plannotator

Fail

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The scripts/install.sh script downloads an installer from https://plannotator.ai/install.sh and pipes it directly to bash. This domain is not recognized as a trusted organization or well-known service, posing a high risk of arbitrary code execution at installation time.
  • [COMMAND_EXECUTION]: The skill's scripts perform extensive modifications to the user's environment to maintain persistence. Specifically, scripts/configure-remote.sh appends environment variables to shell initialization files (.bashrc, .zshrc, .profile), and scripts like scripts/setup-hook.sh modify sensitive AI agent settings files in ~/.claude/, ~/.gemini/, and ~/.codex/.
  • [EXTERNAL_DOWNLOADS]: The skill depends on downloading a CLI binary from an external untrusted domain (plannotator.ai). It also requires the installation of global Node.js packages such as @openai/codex and @google/gemini-cli.
  • [PROMPT_INJECTION]: The skill injects persistent tool-use instructions into the agent's system-level configuration files. These instructions mandate that the agent must pipe its plans to the external plannotator tool, which creates a permanent attack surface for instruction override.
  • [DATA_EXFILTRATION]: The skill includes functionality to send implementation plans and git diffs to an external server (share.plannotator.ai) via the PLANNOTATOR_SHARE_URL variable. This represents a potential exfiltration path for proprietary code or internal architecture plans.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to how it processes external data.
  • Ingestion points: The skill reads git diffs in scripts/review.sh and agent-generated plans in scripts/setup-codex-hook.sh.
  • Boundary markers: There are no boundary markers or instructions to ignore embedded commands when passing data to the plannotator binary.
  • Capability inventory: The plannotator tool has permission to write to the filesystem (Obsidian vaults) and execute subprocesses.
  • Sanitization: No sanitization or validation of the plan markdown is performed before it is processed by the external CLI tool.
Recommendations
  • HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 7, 2026, 02:56 AM