ohmg
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
bunxto download and execute theoh-my-agpackage from a public registry. This package is sourced fromfirst-fluke/oh-my-ag, which is not a trusted organization or the skill author's verified namespace. - [COMMAND_EXECUTION]: The framework relies heavily on shell execution for core functionality, including system diagnostics (
doctor), service monitoring (dashboard), and dynamic agent instantiation (agent:spawn). These operations provide significant control over the local environment. - [PROMPT_INJECTION]: The skill's multi-agent orchestration pattern creates a surface for indirect prompt injection. Malicious instructions processed by the 'PM Agent' during task decomposition could influence the downstream actions of specialized agents.
- Ingestion points: Requirements and task decomposition input handled by the PM Agent in
SKILL.md. - Boundary markers: None present to separate user-provided task descriptions from agent instructions.
- Capability inventory:
Bashtool usage, file system writing to.serena/memories/, and process spawning via CLI. - Sanitization: No explicit validation or escaping of task data before it is passed to the
agent:spawncommand. - [DATA_EXFILTRATION]: The
bridgecommand enables mapping local stdio to an HTTP/SSE server. While typically used for development, this functionality could be used to transmit agent state or session data to an external endpoint.
Audit Metadata