Skills
skills/akillness/skills-template/plannotator/Gen Agent Trust Hub

plannotator

Fail

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The scripts/install.sh script downloads a remote shell script from https://plannotator.ai/install.sh and pipes it directly into the bash interpreter, which allows for the execution of arbitrary remote code on the user's system.
  • [PERSISTENCE_MECHANISMS]: The skill includes several scripts that automate the modification of user configuration files and shell profiles to maintain integration across sessions:
  • scripts/configure-remote.sh appends environment variable exports (PLANNOTATOR_REMOTE, PLANNOTATOR_PORT) to shell profiles such as ~/.zshrc, ~/.bashrc, and ~/.profile.
  • scripts/setup-hook.sh, scripts/setup-gemini-hook.sh, and scripts/setup-codex-hook.sh modify internal agent settings files (~/.claude/settings.json, ~/.gemini/settings.json, and ~/.codex/config.toml) to inject ExitPlanMode hooks that execute the plannotator command automatically.
  • [DYNAMIC_CONTEXT_INJECTION]: The scripts/setup-opencode-plugin.sh script registers an OpenCode slash command (/plannotator-annotate) using the !command syntax: `!`plannotator annotate "$ARGUMENTS". This pattern executes shell commands at runtime with user-supplied arguments, which could lead to command injection if the $ARGUMENTS variable is not properly sanitized by the platform.
  • [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the processing of untrusted agent-generated content.
  • Ingestion points: The tool reads agent-generated implementation plans and git diffs through automated hooks and the scripts/review.sh script.
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to disregard instructions embedded within the plans being reviewed.
  • Capability inventory: The skill possesses capabilities for file system modification (writing to Obsidian vaults), network interaction (triggering browser sessions and Bear callback URLs), and executing subprocesses via the plannotator CLI.
  • Sanitization: There is no evidence of sanitization or structural validation performed on the plan content before it is passed to the review UI or saved to notes.
Recommendations
  • HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 19, 2026, 01:26 AM