ohmg
Fail
Audited by Snyk on Jun 23, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs point to a GitHub repository and a raw install.sh from an unfamiliar user and the repo's recommended "curl | bash" install is an unsafe pattern (the raw script can run arbitrary commands), so the source should be treated as potentially risky and the script reviewed before running.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's install instructions recommend running a curl piped to bash that downloads and executes remote shell code at runtime from https://raw.githubusercontent.com/first-fluke/oh-my-agent/main/cli/install.sh, which directly executes fetched code and is presented as the installation path.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata