Ohmy Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a skill ranking and recommendation helper with somewhat broad activation wording, but no evidence of hidden access, persistence, credential handling, or unsafe actions.

Install if you want a helper for OhMy skill ranking or recommendations. Be aware it may activate on broad ranking or recommendation prompts, so review its responses when your request was not specifically about this skill ecosystem.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The changelog explicitly expands trigger coverage with broad phrases such as skill ranking and recommendation queries, but does not indicate tight activation boundaries or disambiguation rules. In an agent setting, overly broad triggers can cause the skill to activate outside intended contexts, leading to unintended processing, recommendation injection, or interference with other skills.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger set includes broad, generic phrases such as 'ohmy', '排行榜', and recommendation-related terms that can match ordinary user requests unrelated to this specific skill. In an agent ecosystem, overly broad invocation patterns can cause accidental activation, unintended handling of sensitive user prompts, and interception of requests meant for other skills, increasing the chance of confused-deputy behavior or unsafe automated actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal