Back to skill

Security audit

Plane.so

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Plane.so CLI helper, but users should verify the downloaded CLI and use care with workspace-changing commands.

Before installing, inspect the GitHub-hosted plane script or prefer a pinned release/checksum if available. Use a least-privileged Plane API token, and verify project and issue IDs before running update, assignment, comment, or delete commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly documents a destructive deletion command for issues without any warning, confirmation guidance, or mention of reversibility. In an agent-skill context, this increases the chance that a user or autonomous agent will execute irreversible work-item deletion based on a terse instruction or misunderstanding, causing loss of project data and audit history.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.