jeo
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation script
scripts/install.shandscripts/ensure-plannotator.shcontain patterns that download and immediately execute shell scripts from external URLs usingcurl | bash(e.g.,https://plannotator.ai/install.shandhttps://bun.sh/install). - [REMOTE_CODE_EXECUTION]: The skill executes dynamic Python code fetched from a local network endpoint
http://localhost:4747/pendinginscripts/claude-agentation-submit-hook.pyandscripts/setup-codex.sh, which is a common vector for local privilege escalation or side-loading attacks in shared environments. - [COMMAND_EXECUTION]: The
scripts/claude-plan-gate.pyscript programmatically modifies~/.claude/settings.jsonto change thepermissionModetoacceptEdits. This is designed to bypass human-in-the-loop approval requirements for file modifications during the 'EXECUTE' phase, effectively escalating the agent's privileges without explicit user consent for each action. - [PROMPT_INJECTION]: The skill uses 'ralphmode' and specific instructions in
SKILL.mdto force the agent into an 'automatic' execution state, specifically instructing it to avoid reopening approval gates and to disregard certain safety/confirmation steps once a plan hash is matched. - [EXTERNAL_DOWNLOADS]: The setup scripts (
setup-claude.sh,setup-codex.sh, etc.) automatically register third-party plugins and MCP servers from unverified GitHub repositories and NPM packages without integrity checks.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:4747/pending, https://bun.sh/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata