Is luiseduardoaugusto/plane-so-cli safe?

https://github.com/openclaw/skills/tree/main/skills/luiseduardoaugusto/plane-so-cli

88
SAFE

The plane-so-cli skill is documentation-only: the installed package contains only SKILL.md and _meta.json with no executable code, no git hooks, no npm scripts, and no bundled binary despite claiming one is present. Monitoring detected no malicious behavior during installation — canary file accesses were traced to the audit framework itself, network activity was limited to the expected GitHub clone, and no persistent connections were established. The primary concerns are a false claim about a bundled binary that could cause an agent to autonomously fetch unverified code at runtime, and the inherent credential exposure of transmitting PLANE_API_KEY to an external API whose actual endpoint behavior cannot be audited without the binary.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

HIGH Claimed bundled binary is absent -12

SKILL.md states 'The plane-so-cli executable is bundled in scripts/plane-so-cli and available on PATH after installation.' The installed file set contains only SKILL.md and _meta.json — no scripts/ directory was created. An agent relying on this skill will encounter a command-not-found error and may attempt to install the binary from an unverified external source, constituting an uncontrolled code execution risk.

MEDIUM PLANE_API_KEY transmitted to third-party service on every invocation -20

The skill's primaryEnv is PLANE_API_KEY. Every plane-so-cli command sends this credential as an HTTP header to https://api.plane.so. While this is the stated and expected purpose of the skill, the credential exposure cannot be fully audited because the binary is not present and endpoint hardcoding is unverifiable.

MEDIUM Missing binary creates unguided runtime dependency -28

Because no executable ships with the skill, an agent following SKILL.md instructions will be unable to complete any task. The agent may autonomously attempt to install plane-so-cli via pip, curl, or another mechanism, potentially fetching untrusted code. The skill provides no fallback, verification step, or installation guidance beyond claiming the binary is already present.

LOW Misleading documentation may induce unintended agent behavior -8

Describing a non-existent bundled binary as present on PATH constitutes a false premise injected into the agent's context. While not a deliberate prompt injection attack, an agent that trusts this claim may exhibit unexpected behavior when commands fail, including autonomous troubleshooting that expands its tool use beyond the intended scope.

INFO Pre-existing external connection not attributable to skill 0

The BEFORE socket snapshot shows an established connection to 185.125.188.58:443 (Ubuntu/Canonical infrastructure). This connection was already present before install and closed afterward. It is attributable to the audit environment, not to the skill.

INFO Canary file read events traced to audit framework, not skill 0

Sensitive file accesses (/.env, /.ssh/id_rsa, /.aws/credentials, etc.) appear in inotify and auditd logs at timestamps 1771904522 (5 seconds before install starts) and 1771904545 (post-install check). Both clusters are consistent with the audit framework's own setup and integrity-verification routines. No skill-originated process accessed these files.