Plane.so
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: plane Version: 1.0.0 The skill is classified as suspicious due to its installation method, which involves downloading and executing an external script (`plane`) from a raw GitHub URL (`https://raw.githubusercontent.com/JinkoLLC/plane-skill/main/scripts/plane`) via `curl` and `chmod +x` as specified in `SKILL.md`. This introduces a supply chain risk, as the content of the downloaded script is not part of the skill bundle and could be altered remotely without a version change, potentially leading to arbitrary code execution. While the provided files do not contain explicit malicious intent or prompt injection attempts, this remote execution capability is a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the downloaded CLI changes upstream or is compromised, it would run locally and use the user's Plane credentials.
The skill asks the user to install an executable script from a moving GitHub raw URL; the actual script was not included in the reviewed artifacts, so its contents and provenance cannot be verified here.
curl -o ~/.local/bin/plane https://raw.githubusercontent.com/JinkoLLC/plane-skill/main/scripts/plane chmod +x ~/.local/bin/plane
Review the script before installing, prefer a pinned release or checksum if available, and only install from a trusted source.
The CLI can act as the authenticated Plane user within the configured workspace, depending on the token's permissions.
The integration uses a Plane personal access token and workspace slug, which is expected for Plane access but grants account/workspace authority to the CLI.
export PLANE_API_KEY="your-api-key" export PLANE_WORKSPACE="your-workspace-slug"
Use the least-privileged token available, avoid sharing the token, and revoke it if the CLI or machine is no longer trusted.
Mistaken or overly broad commands could change or remove project work items.
The documented CLI operations can modify assignments, update issue state/priority, and delete issues in Plane. This matches the stated project-management purpose, but these are high-impact workspace actions.
plane issues update -p PROJECT_ID ISSUE_ID --state STATE_ID --priority medium plane issues assign -p PROJECT_ID ISSUE_ID USER_ID_1 USER_ID_2 plane issues delete -p PROJECT_ID ISSUE_ID
Confirm project IDs, issue IDs, and destructive actions before running mutation commands, especially deletes or assignment changes.