plannotator

SUSPICIOUS: The skill’s stated purpose mostly matches its capabilities, but it expands trust through repo-run install scripts, plugin installation, and undocumented sharing endpoints. The main concern is medium supply-chain and data-flow uncertainty rather than confirmed malicious behavior.

The script is a typical installer wrapper with optional integration setup. The major security concern is the remote installer execution via curl | bash, which can run unverified code from an external source. This is a high-risk pattern (source-to-sink path) and should be mitigated by using verified installers, checksums/signatures, or downloading to a file and running with explicit verification. Otherwise, the script itself contains no overt malicious behavior, but relies on external remote code that could compromise the system if the remote source is compromised.