Oh-my-openagent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is not clearly malicious, but it documents a very powerful external OpenCode plugin that can use local credentials, autonomous/background agents, shell/file tools, and unpinned remote installs.
Install only if you trust the oh-my-opencode upstream project and are comfortable with a powerful local coding agent plugin. Pin or review the external package, do not let the agent print credential files, run it in a git branch or disposable workspace, restrict tools/background tasks where possible, and monitor autonomous loops closely.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following these instructions could expose or misuse provider tokens or account authentication details if it reads or prints the auth file.
The skill documentation points directly to a local credential store for provider authentication/status checks, but does not describe redaction, least-privilege use, or limits on what an agent should read or reveal.
Auth tokens stored in: `~/.local/share/opencode/auth.json` ... Auth status: Look at `~/.local/share/opencode/auth.json`
Do not let the agent display auth.json contents. Prefer provider status commands or manually redact secrets, and only grant provider access you are comfortable using with this plugin.
The agent may keep making changes or running tools longer than expected until manually stopped.
The plugin intentionally supports long-running autonomous work, and the artifacts do not define clear limits for what changes, commands, or provider calls may happen during that continuation.
/ralph-loop ... The agent continues working autonomously until the task is complete, re-evaluating and adjusting as it goes.
Use autonomous loops only in a controlled workspace or branch, monitor them actively, and know how to use `/cancel-ralph` and `/stop-continuation` before enabling them.
Mistakes or over-broad instructions could change many files or run local commands.
Broad file mutation, shell execution, and workspace-wide refactoring tools are expected for a coding orchestration plugin, but they are high-impact capabilities.
OmO injects 40+ tools into agents ... `write` ... `edit` ... `bash` Execute shell commands ... `lsp_rename` Rename symbol across entire workspace
Restrict tools for agents that do not need write or shell access, review diffs before committing, and use backups or a clean git branch.
You may install a newer or different plugin version than expected, and ClawScan did not review that external package code here.
The documented install path fetches an external package/plugin and uses `@latest`, so the executed code can change over time and is not included in this skill artifact set.
bunx oh-my-opencode install ... "plugin": ["oh-my-opencode@latest"]
Review the upstream repository/package, pin a trusted version where possible, and avoid installing from `latest` in sensitive environments.
Loading an untrusted custom skill could start a local process or fetch code through npm-style tooling.
The documentation supports skill-embedded MCP servers that start commands when a skill is loaded. This is a documented extension mechanism, but it can execute external code if used with untrusted skills.
Skills can declare MCP servers in frontmatter ... command: npx ... The MCP is started when the skill is loaded
Only load custom skills and MCP definitions you trust, review their commands and environment variables, and avoid automatic loading from untrusted projects.
Past chat/session content or generated project context could be surfaced or reused in later tasks, including sensitive information if present.
The plugin exposes session-reading/search capabilities and other references describe handoff and knowledge-base creation, which can reuse prior context across work.
`session_read` Read messages from a session ... `session_search` Search across session messages
Avoid putting secrets in chat, review generated handoff or AGENTS.md files before sharing, and limit session/context access where possible.