plannotator
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation process described in
scripts/install.shandSKILL.mduses thecurl -fsSL https://plannotator.ai/install.sh | bashpattern, which executes unverified remote code with the current user's privileges. - [COMMAND_EXECUTION]: Setup scripts including
setup-hook.sh,setup-gemini-hook.sh, andsetup-codex-hook.shmodify configuration files such as~/.claude/settings.json,~/.gemini/settings.json, and~/.codex/config.tomlto add execution hooks. These hooks are designed to trigger theplannotatorcommand automatically whenever specific agent modes are exited, providing the skill with persistent execution capabilities. - [EXTERNAL_DOWNLOADS]: The skill downloads and executes scripts from
https://plannotator.ai. This domain is not identified as a trusted vendor or well-known technology service. - [DATA_EXFILTRATION]: The skill provides a feature to share plan reviews via
share.plannotator.ai. This involves uploading local git diffs and implementation plans, which may contain sensitive source code or internal project details, to an external server. - [COMMAND_EXECUTION]: The
scripts/configure-remote.shscript modifies shell profile files such as.zshrcand.bashrcto inject environment variables, which is a technique used to persistently alter the user's shell environment.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata