Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Plane.so
v1.0.0Manage Plane.so projects and work items using the `plane` CLI. List projects, create/update/search issues, manage cycles and modules, add comments, and assign members.
⭐ 2· 2k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is described as a Plane.so CLI integrator and the SKILL.md requests the plane CLI plus PLANE_API_KEY and PLANE_WORKSPACE — these are appropriate and expected for the stated purpose. However, the registry-level metadata (provided with the skill) lists no required binaries or env vars while the SKILL.md metadata declares both — this inconsistency is unexplained and could be a packaging error.
Instruction Scope
Runtime instructions are limited to installing the plane CLI, setting PLANE_API_KEY and PLANE_WORKSPACE, and running plane commands (listing projects/issues, creating/updating issues, comments, cycles, etc.). The SKILL.md does not instruct reading unrelated files, harvesting other environment variables, or sending data to unexpected external endpoints.
Install Mechanism
The SKILL.md (and its embedded metadata) instructs downloading a script from raw.githubusercontent.com and placing it in ~/.local/bin which will be executed. Downloading and executing arbitrary scripts from a GitHub user repository is common but carries risk — the script can contain arbitrary code. The host (raw.githubusercontent.com) is a normal release host, but you should inspect the script and prefer an official published release if available.
Credentials
The only required env vars in the SKILL.md are PLANE_API_KEY and PLANE_WORKSPACE, which are proportional to the functionality. However the registry metadata (earlier in the bundle) lists no required env vars — that mismatch between declared requirements and the SKILL.md should be resolved by the publisher.
Persistence & Privilege
The skill does not request always: true and does not claim system-wide privileges. Installation writes a CLI into the user's ~/.local/bin (user-level) which is normal for CLI tools. Autonomous invocation of the skill by the agent is allowed (platform default) but not an additional privilege in this bundle.
What to consider before installing
This skill appears to do what it says (manage Plane.so via the plane CLI), but take these precautions before installing: 1) Confirm the publisher/repo (https://github.com/JinkoLLC/plane-skill) is trustworthy and review the script at the raw URL — downloading and executing it will run arbitrary code on your machine. 2) Prefer an official release or package for the plane CLI if one exists instead of a raw script. 3) Provide PLANE_API_KEY with the minimum necessary permissions and keep it secret. 4) Ask the publisher to fix the registry metadata mismatch (it should declare the required binary and env vars) so the package manifest is consistent. 5) If you must install, inspect the downloaded file contents and consider running it in a safe environment first (e.g., container or VM).Like a lobster shell, security has layers — review code before you run it.
latestvk97fb6tanwkr2ect79d8jns3x1805fbe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.