Plane.so

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Plane.so CLI helper, but users should verify the downloaded CLI and use a limited Plane API token.

Before installing, inspect the GitHub-hosted plane script or prefer a pinned release/checksum if available. Use the least-privileged Plane token you can, and confirm project and issue IDs before running update, assignment, comment, or delete commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly documents `plane issues delete -p PROJECT_ID ISSUE_ID` without any caution, confirmation guidance, or clear warning that it permanently removes work items. In an agent skill context, exposing a destructive action as a routine command increases the chance of accidental or overly broad deletion by users or automated agents operating with API credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal