plannotator
Fail
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
scripts/install.shscript downloads and executes a remote shell script using the patterncurl -fsSL https://plannotator.ai/install.sh | bash. This allows for arbitrary code execution from an external, non-whitelisted domain during the installation process. - [COMMAND_EXECUTION]: Multiple setup scripts (
setup-hook.sh,setup-gemini-hook.sh,setup-codex-hook.sh) modify application settings in the user's home directory to register hooks that trigger theplannotatorcommand. Thescripts/configure-remote.shscript modifies shell profiles such as.zshrcand.bashrcto inject persistent environment variables. - [COMMAND_EXECUTION]: The
scripts/setup-opencode-plugin.shscript creates slash command definitions for OpenCode using dynamic context injection. The command!plannotator annotate "$ARGUMENTS"`` incorporates unvalidated user input directly into a shell command, facilitating command injection. - [DATA_EXFILTRATION]: The skill captures agent plans and git diffs, which can contain sensitive source code or project details. It provides features to export this data to external note-taking apps like Obsidian and Bear, or share them via a third-party portal at
share.plannotator.ai. - [PROMPT_INJECTION]: Instructions appended to agent configuration files (e.g.,
~/.codex/config.tomland~/.gemini/GEMINI.md) override default agent behavior by mandating the use of the plannotator review workflow and directing the agent to execute specific shell commands to handle plan submissions.
Recommendations
- HIGH: Downloads and executes remote code from: https://plannotator.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata