The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The scripts/install.sh file and setup instructions in SETUP.md use a piped execution pattern (curl -sSfL https://plannotator.ai/install.sh | sh) to install external components. This allows for arbitrary code execution from a remote server without any integrity verification or sandboxing.\n- [EXTERNAL_DOWNLOADS]: The skill requires downloading and running external scripts and binaries from plannotator.ai. This domain is not recognized as a trusted organization or well-known service within the established security scope, introducing an unverifiable dependency on third-party infrastructure.\n- [COMMAND_EXECUTION]: Several scripts, including scripts/check-status.sh and scripts/phase-gate-review.sh, use the python3 -c flag to execute dynamically generated Python logic for YAML parsing and state management. This increases the potential for code injection if internal file contents or environment variables are manipulated.\n- [PROMPT_INJECTION]: The skill is designed to ingest and process user-provided documents like Product Requirements Documents (PRDs) and Technical Specifications. These documents serve as ingestion points for untrusted data. While the fabric pattern in SKILL.md uses boundary markers, the skill lacks rigorous input sanitization, making it vulnerable to indirect prompt injection where malicious instructions embedded in project documentation could influence agent behavior.

bmad