plannotator

Fail

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The scripts/install.sh file executes remote code from an untrusted source by piping a script directly from https://plannotator.ai/install.sh into the bash shell. This pattern is highly susceptible to man-in-the-middle attacks or server compromises, allowing for arbitrary code execution on the user's system.
  • [COMMAND_EXECUTION]: The scripts/setup-opencode-plugin.sh script generates slash command configurations that use the dynamic context execution syntax (!command) combined with unvalidated user arguments. Specifically, the command !"plannotator annotate "$ARGUMENTS"" creates a critical command injection vulnerability where a malicious user could provide crafted input to execute arbitrary shell commands.
  • [COMMAND_EXECUTION]: The scripts/configure-remote.sh script modifies user shell profiles (e.g., ~/.bashrc, ~/.zshrc) to persist environment variables. While intended for configuration, modifying startup scripts is a persistence mechanism that can be abused to execute commands automatically across shell sessions.
  • [DATA_EXFILTRATION]: Multiple setup scripts (setup-hook.sh, setup-gemini-hook.sh, setup-codex-hook.sh) perform read and write operations on sensitive configuration directories of other AI agents, such as ~/.claude/settings.json and ~/.gemini/settings.json. This broad access to local configuration files poses a risk of data exposure.
  • [REMOTE_CODE_EXECUTION]: The installation and setup scripts utilize complex inline Python snippets to dynamically modify JSON configurations and shell environment variables, increasing the attack surface for script-based vulnerabilities during the setup process.
Recommendations
  • HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 17, 2026, 07:07 AM
Security Audit — agent-trust-hub — plannotator