Executes fully finalized, immutable plans with strict validation, performing each predefined step in order without modification or interpretation.
Security Analysis
medium confidenceThe skill's declared purpose (executing finalized plans verbatim) matches its instructions, but the runtime rules (silent execution, no interpretation, and no logging) combined with autonomous execution capability create significant safety concerns and lack important safeguards.
Name and instructions align: a 'plan-executor' is expected to take a finalized plan and run it. The skill requests no unrelated binaries, env vars, or installs. 'allowed-tools: system-io' is consistent with executing actions, though its exact capabilities are unspecified.
The SKILL.md mandates executing actions exactly as written with zero interpretation, zero clarification, and no intermediate output on success. That makes the skill capable of performing destructive or data-exfiltrating operations silently if such actions appear in a plan. The preflight checks are vague about how to verify 'undeclared resources' or 'irreversible actions' in practice. The prohibition on questions, logs, or recovery removes normal safety checks and auditability.
Instruction-only skill with no install spec and no code files; this is low supply-chain risk because nothing is downloaded or written during install.
The skill requests no environment variables, credentials, or config paths — appropriate for an executor. However, 'system-io' (listed as an allowed tool) could imply broad system access (files, network, commands); the SKILL.md does not limit or define what actions are permitted, so actual access scope is unclear.
always:false (good) but disable-model-invocation:false means the agent may autonomously invoke this skill. Combined with the instruction to run plans verbatim and not produce logs or confirmations, that autonomous capability materially increases risk: the platform could execute harmful finalized plans without interactive human oversight.
Guidance
This skill will run any plan that is marked FINALIZED/EXECUTION-READY exactly as written, without asking questions or producing success output — which can let destructive or exfiltrative steps run silently. Before installing: ensure you trust the plan source completely; require human confirmation before any execution; restrict or sandbox the 'system-io' tool so the skill cannot access network or sensitive files; demand logging/audit and a dry-run mode; and insist on a clear, machine-checked plan schema (step formats, allowed actions, whitelisted targets). If you cannot enforce those safeguards, do not enable autonomous invocation of this skill. Additional information that would raise confidence: a precise specification of allowed actions/targets, an implementation-level sandbox, example plan formats, and built-in audit/logging or a human-approval gate.
Latest Release
v1.0.0
Initial release of the plan-executor skill. - Executes only validated, frozen plans explicitly marked as FINALIZED, EXECUTION-READY, and IMMUTABLE. - Enforces strict preflight verification, step ordering, and input/output handling. - Halts immediately on any ambiguity, error, or nonconformity with activation criteria. - Provides strict output rules: nothing on success, a single notice or dot (`.`) on failure or user stop. - Applies strong guardrails prohibiting planning, inference, or side effects beyond the explicit plan.
Popular Skills
Published by @plan on ClawHub
