deep-dive
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from the user's codebase during investigation phases, which is identified as an indirect prompt injection surface. The skill incorporates several architectural mitigations to manage this risk.
- Ingestion points: Codebase content is analyzed during Phase 1 (exploration) and Phase 3 (trace execution) to inform the subsequent interview stage.
- Boundary markers: All findings and codebase context injected into the agent's prompt are wrapped in explicit
<trace-context>delimiters to separate data from instructions. - Capability inventory: The skill has the ability to write to the filesystem (
.omc/specs/) and trigger automated execution through downstream skills likeautopilotorralph. - Sanitization: The skill includes a mandatory 'Untrusted data guard' in Phase 4 that explicitly instructs the agent to treat trace-derived text strictly as data and never as directives.
- [COMMAND_EXECUTION]: The skill operates as a high-level orchestrator that invokes other specialized skills for technical tasks.
- Evidence: In Phase 5 (Execution Bridge), the skill triggers downstream execution by invoking
Skill("oh-my-claudecode:omc-plan"),Skill("oh-my-claudecode:autopilot"), and others within the vendor's ecosystem.
Audit Metadata