plannotator-annotate
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute
plannotator annotate <path-or-url>using a Bash shell. If the<path-or-url>argument is derived from untrusted user input without sanitization, an attacker could execute arbitrary commands by injecting shell metacharacters such as semicolons, pipes, or backticks. - [PROMPT_INJECTION]: The skill processes content from external files and URLs, exposing the agent to indirect prompt injection vulnerabilities.
- Ingestion points: Files (Markdown, HTML) and URLs provided by the user are loaded into the annotation environment (SKILL.md).
- Boundary markers: The instructions lack delimiters or explicit warnings to disregard potential instructions embedded within the external documents being annotated.
- Capability inventory: The agent has the capability to execute shell commands and is instructed to "address" annotations returned from the external tool, which could contain malicious instructions (SKILL.md).
- Sanitization: No validation or sanitization is specified for the input path or URL before it is passed to the shell command execution.
Audit Metadata