ohmg
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
bunxanduvto download and execute its own CLI tools (oh-my-ag). These appear to be the primary functional components of the framework. As this is the core intended purpose of the skill (a CLI-based orchestrator), and no suspicious third-party domains or obfuscated URLs are present, these downloads are considered standard behavior. - [COMMAND_EXECUTION]: The skill documentation lists several Bash commands (e.g.,
bunx oh-my-ag doctor,oh-my-ag agent:spawn) for system verification and agent management. These are legitimate administrative functions for an orchestration tool. - [DATA_EXFILTRATION]: No evidence of sensitive file access (like SSH keys or AWS credentials) or unauthorized network transmissions was found. The skill uses a local directory (
.serena/memories/) for state management. - [PROMPT_INJECTION]: The skill instructions focus on functional task decomposition and role-playing for specific agents (PM, Frontend, etc.). There are no instructions that attempt to bypass safety filters or override system-level constraints.
Audit Metadata