omc
Fail
Audited by Snyk on Jun 23, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). The GitHub repo and its GitHub Pages site are third‑party, user‑maintained sources distributing a Claude Code plugin and npm package (potentially executable code) which—while possibly legitimate—are not official vendor downloads and therefore pose a moderate-to-high supply-chain risk; the docs.anthropic.com link is official and low risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The SKILL explicitly instructs runtime installation using the GitHub repo URL (e.g. "/plugin marketplace add https://github.com/Yeachan-Heo/oh-my-claudecode" and scripts/install.sh uses the same URL), which fetches plugin code that registers hooks and injects system reminders into Claude—so this external content is fetched at runtime, is a required dependency, and can directly control agent prompts.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata