help
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Data Exposure (HIGH): The skill directly accesses and reads from
~/.claude/.omc-config.json. The~/.claude/directory is a sensitive location used by Claude Code to store internal configuration and potentially credentials. - Unverifiable Dependencies & Remote Code (HIGH): The documentation instructs the user to run
/oh-my-claudecode:omc-setup, which it explicitly states "downloads the configuration" from a repository owned by an untrusted external user (Yeachan-Heo). This bypasses standard package management and executes/installs unverified remote content. - Indirect Prompt Injection (HIGH): The skill processes untrusted data from
session-history.jsonandtoken-tracking.jsonl. - Ingestion points: Reads files generated from previous (potentially attacker-influenced) interactions.
- Boundary markers: Absent. No delimiters or instructions to ignore embedded commands in the history data.
- Capability inventory: File read (
cat), JSON parsing (jq), and the ability to generate "Recommendations" that influence the agent's future behavior/configuration. - Sanitization: None. Data is piped directly from files into
jqand then displayed/used for logic. - Privilege Escalation (MEDIUM): The skill performs file system reconnaissance by checking for the existence of specific directories and configuration files in the user's home directory to determine execution modes.
Recommendations
- AI detected serious security threats
Audit Metadata