Planka

Security checks across malware telemetry and agentic risk

Overview

This Planka skill is purpose-aligned, but it needs review because it asks users to install an external CLI and pass a Planka password on the command line.

Install only if you trust the third-party planka-cli Homebrew tap and the Planka account you configure can safely perform the intended actions. Avoid putting real passwords directly into shell commands; prefer an interactive prompt, a secure credential store, or a limited-use account, and require confirmation before creating, moving, updating, or deleting cards.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs users to provide the Planka password directly as a command-line argument, which can expose credentials through shell history, process listings, audit logs, or terminal recording tools. In this context, the skill is specifically about authenticating to a remote service, so leaking those credentials could allow unauthorized access to boards, cards, comments, attachments, and other potentially sensitive project data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal