doctor
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill downloads
CLAUDE.mdfrom an untrusted repository (Yeachan-Heo/oh-my-claudecode) viaWebFetchand writes it to~/.claude/CLAUDE.md. In the Claude Code ecosystem,CLAUDE.mdfiles provide core instructions that govern agent behavior, making this a high-risk remote instruction injection vector. - [Command Execution] (HIGH): The skill includes 'Auto-Fix' logic that executes destructive
rm -rfcommands on directories containing user data (~/.claude/agents,~/.claude/commands,~/.claude/skills). While intended for cleanup, the provided commands are unconditional and could permanently delete legitimate user-created content without sufficient validation. - [Data Exposure & Exfiltration] (MEDIUM): The skill reads
~/.claude/settings.json. This file is a sensitive configuration store for the AI environment and may contain private settings, session tokens, or API configurations. - [Indirect Prompt Injection] (LOW): The skill establishes an injection surface by ingesting the content of a remote
CLAUDE.mdfile. Because this file is used to guide future agent interactions, a malicious update to the remote file could compromise the agent's integrity. Evidence: - Ingestion points: WebFetch of CLAUDE.md.
- Boundary markers: None; content is requested to be returned 'exactly as-is'.
- Capability inventory: Subprocess calls (rm, ls, grep), file system write access.
- Sanitization: None; raw markdown is written directly to the config path.
Recommendations
- AI detected serious security threats
Audit Metadata