plannotator
Fail
Audited by Snyk on Jun 17, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs include direct installer scripts hosted on plannotator.ai and a GitHub repo by a low-profile/unknown user (high-risk indicators for executable distribution), while entries like obsidian.md/download and the localhost address are low-risk; treat the plannotator download links as suspicious until the source, integrity (signatures/checksums), and community reputation are verified.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The install script (scripts/install.sh) will fetch and execute remote code at runtime via "curl -fsSL https://plannotator.ai/install.sh | bash" (and equivalent PowerShell/cmd URLs https://plannotator.ai/install.ps1 and https://plannotator.ai/install.cmd), which directly executes remote code and is relied on by the skill for installing the CLI.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata