4To1 Planner - AI Planning Coach

The skill is classified as suspicious due to critical vulnerabilities that could lead to Remote Code Execution (RCE) and shell injection. Specifically, `scripts/setup.sh` uses `read -p` to capture user input (e.g., API keys) and writes it directly to `~/.config/4to1/config` using `echo`, which is vulnerable to shell injection. This is compounded by `scripts/status.sh` which then `source`s this config file, creating an RCE vulnerability where an attacker could inject arbitrary commands into the config file and have them executed. Additionally, `SKILL.md` contains instructions for the AI agent to process user input for backend operations (e.g., 'Quick Add'), which presents a prompt injection risk if the agent does not properly sanitize user-provided content before constructing API calls or local file writes.