Back to skill

Security audit

4To1 Planner - AI Planning Coach

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate planning assistant, but it needs review because it stores API tokens in plaintext and its status script executes the local config file as shell code.

Install only if you are comfortable giving this skill access to personal planning data and external task or calendar services. Prefer the local Markdown backend or tightly scoped integrations, protect ~/.config/4to1/config, rotate any tokens stored there if exposed, and avoid running scripts/status.sh unless you have inspected the config file first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly advertises that the skill can connect to Notion, Todoist, Google Calendar, and read user planning data, but it does not disclose what data is accessed, how it is stored, whether it is transmitted to third-party services, or what permissions are required. For a planning skill handling potentially sensitive goals, schedules, and personal productivity data, this omission can mislead users into granting broad access without informed consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation phrases are broad everyday requests like planning help and daily focus, which can cause the skill to trigger in contexts where the user did not intend external storage, file writes, or API-backed planning operations. Because this skill can persist data and interact with third-party services, accidental invocation materially increases privacy and integrity risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs writing plans, goals, habits, and review data to Notion, Todoist, Google services, or local files without a clear user-facing warning that sensitive personal data will be stored or transmitted. This is risky because planning data often includes personal, professional, health, or financial goals that users may not expect to leave the chat session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prompts for a Notion API key and writes it in plaintext to a config file under the user's home directory without warning, masking, or permission hardening. This creates a real credential exposure risk if the file is readable by other local users, included in backups, or accidentally exfiltrated by other tools or malware.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Todoist API token is collected interactively and appended to a plaintext config file, again without informing the user that a long-lived secret is being stored on disk. Any process, backup, sync tool, or local user with access to that file can potentially reuse the token to access the user's task data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script executes `source "$CONFIG"` on a user-controlled config file, which means any shell commands placed in that file will run with the privileges of whoever invokes `status.sh`. This is dangerous because a file expected to contain only configuration values becomes an arbitrary code execution surface, and the script gives no validation, sandboxing, or warning before execution.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "do my weekly review" or similar is broad enough that the skill may activate on loosely related user requests without clearly signaling that it will access backend planning data. In a skill connected to Notion, Todoist, Google Calendar, or local Markdown, ambiguous activation can cause unintended retrieval and exposure of sensitive productivity history and personal planning information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The template instructs the agent to pull sprint tasks, milestone progress, prior reviews, and behavioral tracking lists from configured backends without any upfront notice or consent prompt. Because these sources can contain sensitive personal, professional, and behavioral information, silent access increases the risk of privacy violations and over-collection beyond the user's immediate expectation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.