ClawHub
Back to skill

Security audit

Oh-my-openagent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent but very powerful OpenCode orchestration skill that should be reviewed carefully before installation.

Install only if you trust the upstream oh-my-openagent/oh-my-opencode project and are comfortable giving it broad local coding-agent authority. Prefer pinning a reviewed plugin version, use a clean branch or disposable workspace, keep autonomous loops supervised, avoid printing or sharing `auth.json`, and disable or restrict hooks, background tasks, MCPs, and mutating tools you do not need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation advertises autonomous loop commands that continue operating until completion, but it does not warn users about unattended execution, long runtimes, repeated tool actions, or the need for supervision and clear stop conditions. In an agent-orchestration skill, this omission is more dangerous because users may invoke these commands in real repositories or connected environments, increasing the chance of excessive changes, cost, or unintended actions.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The /init-deep command says it creates a hierarchical AGENTS.md knowledge base, but does not clearly warn that it will write new files into the workspace and potentially alter repository state. In this skill context, file creation is an expected capability, but the lack of explicit notice can still surprise users and lead to unintended changes being committed or applied in sensitive directories.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The /handoff command is described as capturing session state, decisions, modified files, and remaining tasks, but there is no warning that this may aggregate sensitive project context or proprietary information into a summary artifact. Because this skill is specifically for multi-agent orchestration and context transfer, the absence of data-handling guidance increases the risk of over-collection or accidental sharing across sessions or operators.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly tells users that auth tokens are stored in `~/.local/share/opencode/auth.json` but does not warn that this file contains sensitive credentials. In a skill about provider configuration and authentication, encouraging users to inspect or edit a token store without secrecy guidance increases the chance of accidental credential exposure through terminal output, screenshots, logs, or copy-paste into chats.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guidance to check auth status by looking at `~/.local/share/opencode/auth.json` directly encourages inspection of a credential store rather than a redacted status command. Because this skill is specifically about provider authentication and model routing, users are more likely to follow the instruction during setup and may inadvertently expose live API keys or OAuth tokens.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The dev-browser trigger phrases are broad, natural-language patterns such as "go to [url]", "click on", and "scrape" that can match many ordinary requests. In a system where skills inject capabilities and guidance automatically, this increases the chance of unintended browser-skill activation, potentially expanding tool access or causing the agent to take web actions the user did not explicitly scope.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The git-master trigger phrases include very common terms like "commit", "rebase", "squash", and questions such as "who wrote" that may appear in conversational or documentation contexts without a true request for git operations. This ambiguity can cause incorrect skill loading, leading the agent to apply git-oriented behavior or tooling inappropriately and increasing the risk of unintended repository actions or over-privileged assistance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.