ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oh My Zsh Manager

v0.1.0

Oh My Zsh management. plugin - Add/install plugins to .zshrc plugins=() array [plugin.md], custom - Write $ZSH_CUSTOM/*.zsh based on requirements [custom.md]...

0· 95·0 current·0 all-time
byes6kr@drumrobot

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for drumrobot/omz.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Oh My Zsh Manager" (drumrobot/omz) from ClawHub.
Skill page: https://clawhub.ai/drumrobot/omz
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install omz

ClawHub CLI

Package manager switcher

npx clawhub@latest install omz
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (manage Oh My Zsh plugins and custom files) matches the instructions. However, it omits declaring practical runtime requirements: external plugin installation requires 'git' and the skill references $ZSH and $ZSH_CUSTOM without listing them in requires.env or required binaries. This omission is an incoherence between claimed capabilities and declared requirements.
!
Instruction Scope
Instructions explicitly tell the agent to modify user files (~/.zshrc and $ZSH_CUSTOM/*.zsh) and to clone arbitrary GitHub repositories. Those actions are within the skill's purpose but are powerful file- and network-level operations. Additionally, SKILL.md includes a 'self-improve' step that directs the agent to run '/skill-manager upgrade omz' after invocation, which causes the agent to attempt to upgrade the skill itself — this is scope-creep that can lead to unexpected self-modification if executed without explicit user consent.
Install Mechanism
There is no install spec (instruction-only), which reduces disk-side risk. However, external plugin installation relies on 'git clone' from third-party repos (GitHub). Because the skill will advise or perform network clones, the effective runtime requires network access and git; those expectations should be declared.
!
Credentials
The skill declares no required environment variables or credentials, yet instructions reference $ZSH and $ZSH_CUSTOM and default paths. While these are not secrets, the mismatch between declared env requirements and referenced env variables is a coherence issue. No sensitive credentials are requested, which is appropriate.
Persistence & Privilege
The skill does not request always:true and does not require special system-wide privileges. The only persistence-related concern is the 'self-improve' instruction to run '/skill-manager upgrade omz' — it instructs the agent to upgrade the skill after use, which could change the skill's behavior over time if performed automatically. This should be clarified or gated by explicit user confirmation.
What to consider before installing
This skill appears to do what it says (manage Oh My Zsh plugins and write custom zsh files), but there are three things to watch for before installing or allowing it to run: (1) It references and will likely use git to clone external plugins but doesn't declare 'git' as a required binary — ensure git is present and be aware clones download and run third-party shell code. (2) It reads/writes ~/.zshrc and $ZSH_CUSTOM/*.zsh — allow it only if you trust the changes; review any proposed file content before writing. (3) The SKILL.md tells the agent to run '/skill-manager upgrade omz' after use (self-upgrade); ask for this step to require explicit consent or remove it. To improve confidence, request that the skill author: declare required binaries (git), list referenced env vars (ZSH, ZSH_CUSTOM), and remove/clarify the automatic self-upgrade behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk975a596hza447h8pb5t8eyvf583z8gg
95downloads
0stars
1versions
Updated 4w ago
v0.1.0
MIT-0
es6kr@drumrobot
latest
Download

Oh My Zsh

Oh My Zsh plugin management and custom configuration authoring.

Topics

TopicDescriptionGuide
pluginAdd/install plugins to .zshrc plugins=() arrayplugin.md
customWrite $ZSH_CUSTOM/*.zsh based on requirementscustom.md

Self-Improvement

After this skill invocation completes, self-improve based on the conversation:

  1. Detect limitations, failures, or workaround patterns for this skill in the conversation
  2. If improvement candidates are found, run /skill-manager upgrade omz

Comments

Loading comments...