ohmg
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to download and execute a shell script directly from a remote URL (
curl -fsSL https://raw.githubusercontent.com/first-fluke/oh-my-agent/main/cli/install.sh | bash). This method bypasses security checks and allows an external, untrusted source to execute arbitrary commands on the host machine. - [EXTERNAL_DOWNLOADS]: The skill references and downloads scripts and packages from the
first-flukeGitHub organization, which is not a recognized or trusted service. - [COMMAND_EXECUTION]: The instructions recommend using
bun install --global oh-my-agentto install the software. Global installations affect the entire system and often require elevated privileges, which can lead to broader security issues if the package is malicious.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/first-fluke/oh-my-agent/main/cli/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata