plannotator
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
scripts/install.shfile executes remote code from an untrusted source by piping a script directly fromhttps://plannotator.ai/install.shinto the bash shell. This pattern is highly susceptible to man-in-the-middle attacks or server compromises, allowing for arbitrary code execution on the user's system. - [COMMAND_EXECUTION]: The
scripts/setup-opencode-plugin.shscript generates slash command configurations that use the dynamic context execution syntax (!command) combined with unvalidated user arguments. Specifically, the command!"plannotator annotate "$ARGUMENTS""creates a critical command injection vulnerability where a malicious user could provide crafted input to execute arbitrary shell commands. - [COMMAND_EXECUTION]: The
scripts/configure-remote.shscript modifies user shell profiles (e.g.,~/.bashrc,~/.zshrc) to persist environment variables. While intended for configuration, modifying startup scripts is a persistence mechanism that can be abused to execute commands automatically across shell sessions. - [DATA_EXFILTRATION]: Multiple setup scripts (
setup-hook.sh,setup-gemini-hook.sh,setup-codex-hook.sh) perform read and write operations on sensitive configuration directories of other AI agents, such as~/.claude/settings.jsonand~/.gemini/settings.json. This broad access to local configuration files poses a risk of data exposure. - [REMOTE_CODE_EXECUTION]: The installation and setup scripts utilize complex inline Python snippets to dynamically modify JSON configurations and shell environment variables, increasing the attack surface for script-based vulnerabilities during the setup process.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata