The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/install.sh executes remote code by downloading a shell script from https://plannotator.ai/install.sh and piping it directly to the bash shell. This pattern executes unverified code from an external source without integrity checks.\n- [EXTERNAL_DOWNLOADS]: The installation process performs global installs of several third-party Node.js packages, including agent-browser and playwriter, and registers external tool plugins like @plannotator/opencode from unknown registries.\n- [COMMAND_EXECUTION]: Setup scripts such as setup-claude.sh and setup-codex.sh perform automated modifications to application-specific configuration files in the user's home directory (e.g., ~/.claude/settings.json), injecting custom hooks and environment variables into the target applications.\n- [COMMAND_EXECUTION]: The scripts/worktree-cleanup.sh utility manages git worktrees and includes a --force option that performs destructive file system operations, posing a risk of accidental data loss.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its reliance on external data to drive its orchestration workflow.\n
Ingestion points: The skill reads implementation instructions from plan.md within the scripts/plannotator-plan-loop.sh script.\n
Boundary markers: There are no explicit boundary markers or isolation instructions to prevent content in plan.md from overriding the agent's core behavior.\n
Capability inventory: The skill possesses extensive capabilities, including executing arbitrary bash commands, writing files, and performing network operations via the Bash and Write tools.\n
Sanitization: No sanitization or validation is applied to the contents of the implementation plan before it is processed by the agent.

jeo