Skills
skills/jeo-tech-ai/oh-my-gods/plannotator/Gen Agent Trust Hub

plannotator

Fail

Audited by Gen Agent Trust Hub on Mar 20, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script scripts/install.sh implements a high-risk installation pattern where code is downloaded from a remote URL (https://plannotator.ai/install.sh) and piped directly to bash. This allows for unverified remote code execution on the host system without integrity verification or authentication.
  • [COMMAND_EXECUTION]: Multiple scripts within the skill modify local system and application configurations to facilitate automatic command execution:
  • scripts/setup-hook.sh and scripts/setup-gemini-hook.sh: Modify ~/.claude/settings.json and ~/.gemini/settings.json to install an ExitPlanMode hook that executes the plannotator command.
  • scripts/setup-codex-hook.sh: Modifies ~/.codex/config.toml to include a complex python3 command chain in the developer_instructions field.
  • scripts/configure-remote.sh: Modifies user shell profiles (.zshrc, .bashrc, .profile) to persist environment variables across sessions.
  • [EXTERNAL_DOWNLOADS]: The skill performs unverified downloads from the domain plannotator.ai, which is not a pre-verified trusted source or well-known service according to standard security protocols.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via its processing of AI agent plans.
  • Ingestion points: Reads implementation plans from /tmp/plan.md and git diffs as seen in scripts/setup-codex-hook.sh and scripts/review.sh.
  • Boundary markers: The commands used to process plans (e.g., the python3 JSON pipe) lack explicit boundary markers or instructions for the agent to ignore instructions embedded within the data.
  • Capability inventory: The skill has significant capabilities including arbitrary command execution via tool hooks and the ability to write to the local filesystem.
  • Sanitization: There is no evidence of sanitization or validation of the plan content before it is passed to the CLI or filesystem.
  • [DATA_EXFILTRATION]: The Obsidian and Bear Notes integrations involve the skill writing data to user-specified paths on the local filesystem or interacting with other applications via custom URI schemes (bear://x-callback-url/create), which could be misused to move sensitive data out of controlled environments.
Recommendations
  • HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 20, 2026, 07:00 AM