ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oh My OpenCode

v1.0.0

Multi-agent orchestration plugin for OpenCode. Use when the user wants to install, configure, or operate oh-my-opencode — including agent delegation, ultrawork mode, Prometheus planning, background tasks, category-based task routing, model resolution, tmux integration, or any oh-my-opencode feature. Covers installation, configuration, all agents (Sisyphus, Oracle, Librarian, Explore, Atlas, Prometheus, Metis, Momus), all categories, slash commands, hooks, skills, MCPs, and troubleshooting.

2· 2.7k·20 current·20 all-time
by@mcoso
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the contents: the skill configures and operates oh-my-opencode and references opencode, bunx/npx, agent orchestration, and per-agent config. Required binary is opencode, which is appropriate for this plugin.
Instruction Scope
SKILL.md instructs running opencode and bunx/npx commands, reading OpenCode config files (~/.config/opencode/opencode.json, .opencode/*), and using provider auth via the opencode CLI. Those actions are within the expected scope for installing/configuring an OpenCode plugin. The docs reference running curl to install OpenCode and checking local services like Ollama (localhost), which is expected for troubleshooting.
Install Mechanism
There is no formal install spec in the skill bundle (instruction-only), but the instructions and scripts call network-based installers (curl | bash for opencode) and bunx/npx which may fetch packages at runtime. This is typical for a CLI plugin installer but carries the usual network-download risk — verify the upstream repository/package before running installer commands.
Credentials
The skill does not declare required environment variables or secrets. It recommends provider subscriptions and relies on the opencode CLI for provider authentication (opencode auth login), which keeps provider credentials outside the skill itself — proportional for its functionality.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills. Agent autonomous invocation is allowed by default (disable-model-invocation=false), which is normal for skills; no unusual privileges are requested.
Assessment
This skill appears to do what it says: configure and run an OpenCode multi-agent plugin. Before installing or running scripts, verify the upstream project (the SKILL.md cites https://github.com/code-yeongyu/oh-my-opencode), and be cautious about running network-install commands (curl | bash, bunx/npx) since they will fetch and run code from the network. Confirm you trust the package source and that your OpenCode provider credentials remain managed by the opencode CLI (not embedded in this skill). If you need stronger assurance, inspect the remote repository and any installer package before executing the installer or doctor commands.

Like a lobster shell, security has layers — review code before you run it.

autonomousvk97291mg0m47akrjckt05yet7s80fhytcodingvk97291mg0m47akrjckt05yet7s80fhytlatestvk97291mg0m47akrjckt05yet7s80fhytoh-my-opencodevk97291mg0m47akrjckt05yet7s80fhytopencodevk97291mg0m47akrjckt05yet7s80fhytprometheusvk97291mg0m47akrjckt05yet7s80fhytsisyphusvk97291mg0m47akrjckt05yet7s80fhytultraworkvk97291mg0m47akrjckt05yet7s80fhyt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏔️ Clawdis
Binsopencode

Comments