Plane.so CLI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: plane-so-cli Version: 1.2.0 The skill bundle, comprising `_meta.json` and `SKILL.md`, clearly outlines its purpose: to manage Plane.so projects via a Python CLI. The `SKILL.md` explicitly states that it communicates only with `https://api.plane.so`, requires `PLANE_API_KEY` and `PLANE_WORKSPACE` environment variables, and claims no data caching, logging, or telemetry. There are no indications of prompt injection attempts, data exfiltration, malicious execution, persistence mechanisms, or obfuscation within the provided files. The instructions are transparent and align with the stated benign purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may fail, or it may end up relying on an unreviewed or unrelated command available in the environment, while users cannot verify how their Plane API key is handled.
The supplied artifact set says there are no code files and no install spec, so the claimed bundled executable is missing from review. For a CLI that handles an API key and can mutate Plane workspace data, this is a material provenance gap.
The `plane-so-cli` executable is bundled in `scripts/plane-so-cli` and available on PATH after installation.
Do not provide a Plane API key until the referenced CLI script or a clear, pinned install source is included and reviewed.
Users may over-trust the skill with a Plane API key and workspace mutation authority based on claims that cannot be validated from the provided artifacts.
These security and privacy assurances depend on code that is not present in the provided package, and the bundling claim conflicts with the manifest showing only SKILL.md.
This skill communicates **only** with the Plane.so API. The API host is hardcoded to `api.plane.so` and cannot be overridden. ... No data is cached, logged, or stored locally ... bundled in `scripts/plane-so-cli`
Treat the security and privacy claims as unverified until the actual CLI source is included in the skill package or otherwise independently reviewed.
Anyone or anything using this environment variable may be able to act through the user's Plane account according to the token's permissions.
The Plane API key is expected for this integration and is disclosed, but it grants the CLI delegated access to the user's Plane workspace.
export PLANE_API_KEY="your-api-key" ... Your `PLANE_API_KEY` is sent as an `X-API-Key` header exclusively to `https://api.plane.so`
Use the least-privileged Plane token available, keep it out of shared logs or shells, and revoke it when no longer needed.
A mistaken or overly broad agent action could create, modify, assign, comment on, or delete Plane issues.
The CLI exposes workspace-changing operations. These are aligned with the stated project-management purpose, but they can still alter or delete team work items.
plane-so-cli issues create ... plane-so-cli issues update ... plane-so-cli issues assign ... plane-so-cli issues delete ... plane-so-cli comments add
Require explicit user confirmation for create, update, assignment, comment, and delete operations, especially in shared or production workspaces.