omg
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill uses high-risk installation patterns that download and execute code from remote servers.
- Evidence:
scripts/install.shexecutescurl -fsSL https://bun.sh/install | bashandcurl -fsSL https://plannotator.ai/install.sh | bashto install dependencies from external domains. - [PERSISTENCE_MECHANISMS]: The setup scripts modify local configuration files of AI tools to install persistent execution hooks.
- Evidence:
scripts/setup-claude.sh,scripts/setup-codex.sh, andscripts/setup-gemini.shadd custom hooks to~/.claude/settings.json,~/.codex/config.toml, and~/.gemini/settings.jsonthat execute local Python scripts on specific agent lifecycle events. - [DYNAMIC_EXECUTION]: The skill uses the
subprocessmodule and shell commands to generate and run executable logic at runtime. - Evidence:
scripts/claude-plan-gate.pyandscripts/plannotator-plan-loop.shinvoke local binaries and git commands. The skill also contains instructions to pipe output from a local tool server (http://localhost:4747/pending) directly into a Python interpreter. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data (plan feedback and UI annotations) which drives the agent's behavior.
- Evidence: The skill reads annotations from the
agentationtool and feedback fromplannotatorto automatically trigger code-fixing and planning loops, creating a surface for indirect instructions to influence agent actions.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:4747/pending, https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata