omg
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill downloads and executes scripts from 'https://plannotator.ai/install.sh' by piping them directly to bash in 'scripts/install.sh'. It also pipes data from 'http://localhost:4747/pending' directly to the python3 interpreter as seen in 'SKILL.md'.
- [EXTERNAL_DOWNLOADS]: The skill fetches code and configuration from non-trusted external domains like 'plannotator.ai' without integrity verification or version locking.
- [COMMAND_EXECUTION]: The setup scripts modify sensitive user configuration files such as '
/.claude/settings.json' and '/.codex/config.toml' to inject environment variables and persistent hooks, which could be exploited to alter agent behavior. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface via its integration with the 'agentation' tool. * Ingestion points: 'http://localhost:4747/pending' in 'SKILL.md' and 'scripts/claude-agentation-submit-hook.py'. * Boundary markers: Absent for the processed annotation data. * Capability inventory: Extensive use of subprocess execution, file writing, and network operations in 'scripts/plannotator-plan-loop.sh' and 'scripts/claude-plan-gate.py'. * Sanitization: No evidence of validation or filtering for ingested comments or CSS selectors.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:4747/pending, https://bun.sh/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata