Plane.so CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Plane.so access matches the stated purpose, but the package claims to include a CLI and security safeguards while providing only instructions and no code to verify them.
Review this skill carefully before installing. Its Plane API access is expected for the purpose, but the package does not include the CLI it claims to bundle, so the security claims and credential handling cannot be verified from the provided artifacts. Wait for a package that includes the referenced script or a clear pinned install source, and use a least-privileged Plane token if you proceed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may fail, or it may end up relying on an unreviewed or unrelated command available in the environment, while users cannot verify how their Plane API key is handled.
The supplied artifact set says there are no code files and no install spec, so the claimed bundled executable is missing from review. For a CLI that handles an API key and can mutate Plane workspace data, this is a material provenance gap.
The `plane-so-cli` executable is bundled in `scripts/plane-so-cli` and available on PATH after installation.
Do not provide a Plane API key until the referenced CLI script or a clear, pinned install source is included and reviewed.
Users may over-trust the skill with a Plane API key and workspace mutation authority based on claims that cannot be validated from the provided artifacts.
These security and privacy assurances depend on code that is not present in the provided package, and the bundling claim conflicts with the manifest showing only SKILL.md.
This skill communicates **only** with the Plane.so API. The API host is hardcoded to `api.plane.so` and cannot be overridden. ... No data is cached, logged, or stored locally ... bundled in `scripts/plane-so-cli`
Treat the security and privacy claims as unverified until the actual CLI source is included in the skill package or otherwise independently reviewed.
Anyone or anything using this environment variable may be able to act through the user's Plane account according to the token's permissions.
The Plane API key is expected for this integration and is disclosed, but it grants the CLI delegated access to the user's Plane workspace.
export PLANE_API_KEY="your-api-key" ... Your `PLANE_API_KEY` is sent as an `X-API-Key` header exclusively to `https://api.plane.so`
Use the least-privileged Plane token available, keep it out of shared logs or shells, and revoke it when no longer needed.
A mistaken or overly broad agent action could create, modify, assign, comment on, or delete Plane issues.
The CLI exposes workspace-changing operations. These are aligned with the stated project-management purpose, but they can still alter or delete team work items.
plane-so-cli issues create ... plane-so-cli issues update ... plane-so-cli issues assign ... plane-so-cli issues delete ... plane-so-cli comments add
Require explicit user confirmation for create, update, assignment, comment, and delete operations, especially in shared or production workspaces.