plannotator

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). While several links point to legitimate resources (Obsidian download, GitHub), the presence of a direct installer script (https://plannotator.ai/install.sh) and a small/unknown GitHub repo (backnotprop/plannotator) that includes scripts which modify local configs and write files makes this a potentially risky download source unless you inspect the script/repo first.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The installer script (scripts/install.sh) runs curl -fsSL https://plannotator.ai/install.sh | bash, which fetches and executes remote code at runtime and is required to install the plannotator CLI, so this URL is a direct runtime dependency that can control execution.