omc

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes example commands that pass secrets as literal command-line arguments (e.g., --token <bot_token>, --webhook ), which encourages embedding secret values verbatim into generated commands or outputs and thus poses an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation step explicitly instructs fetching and installing the plugin from https://github.com/Yeachan-Heo/oh-my-claudecode, which at runtime would download and install remote code that can add/alter agent commands and execution logic, so it directly controls agent behavior.