omg
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Fetches and executes installation scripts from well-known services (bun.sh) and vendor-owned resources (plannotator.ai). These downloads are used to establish the local runtime environment for planning and execution.
- [COMMAND_EXECUTION]: Extensively uses embedded Python snippets and shell scripts to perform complex orchestration tasks. This includes managing git worktrees, tracking execution state in
.omc/state/omg-state.json, and configuring platform-specific hooks in user directory settings (e.g.,~/.claude/settings.json,~/.codex/config.toml). - [DATA_EXFILTRATION]: Performs local network activities confined to the loopback interface (127.0.0.1). These operations include port probing via
/dev/tcpto verify tool availability and polling a local agentation MCP server atlocalhost:4747for visual UI annotations. - [PROMPT_INJECTION]: The skill ingests untrusted data from implementation plans (
plan.md) and external UI feedback, creating a surface for indirect prompt injection. - Ingestion points: Reads from local Markdown files and the
http://localhost:4747/pendingAPI. - Capability inventory: Possesses significant capabilities across all scripts, including file writing, subprocess execution, and git manipulation.
- Boundary markers: Implements mandatory human-in-the-loop approval gates (e.g., plannotator visual review) before moving from the planning phase to execution, significantly reducing the risk of automated injection success.
- Sanitization: Relies on the host agent's native guardrails and user verification during the planning and verify phases.
Audit Metadata