skills/yeachan-heo/oh-my-claudecode/omc-doctor/Snyk

omc-doctor

Warn

Audited by Snyk on Apr 12, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The Auto-Fix step in SKILL.md instructs the agent to fetch raw markdown from a public GitHub URL (https://raw.githubusercontent.com/Yeachan-Heo/oh-my-claudecode/main/docs/CLAUDE.md) and write it into the user's CLAUDE.md, so untrusted third-party content is explicitly ingested and could change subsequent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's auto-fix explicitly calls WebFetch at runtime to retrieve https://raw.githubusercontent.com/Yeachan-Heo/oh-my-claudecode/main/docs/CLAUDE.md and write it into CLAUDE.md, and that fetched markdown is used as agent configuration/markers that directly control prompts/instructions.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 12, 2026, 05:56 AM

Issues

2