omc

Fail

Audited by Snyk on Jun 23, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). The GitHub repo and its GitHub Pages site are third‑party, user‑maintained sources distributing a Claude Code plugin and npm package (potentially executable code) which—while possibly legitimate—are not official vendor downloads and therefore pose a moderate-to-high supply-chain risk; the docs.anthropic.com link is official and low risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The SKILL explicitly instructs runtime installation using the GitHub repo URL (e.g. "/plugin marketplace add https://github.com/Yeachan-Heo/oh-my-claudecode" and scripts/install.sh uses the same URL), which fetches plugin code that registers hooks and injects system reminders into Claude—so this external content is fetched at runtime, is a required dependency, and can directly control agent prompts.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 23, 2026, 02:49 PM
Issues
2
Security Audit — snyk — omc