oma-hwp
Warn
Audited by Socket on Jun 13, 2026
1 alert found:
AnomalyAnomalySKILL.md
LOWAnomalyLOW
SKILL.md
SUSPICIOUS: the skill’s purpose and local file access are coherent for document conversion, and there is no obvious credential theft or exfiltration path. However, its core behavior relies on executing unpinned third-party npm code (`bunx kordoc@latest`) and additional resource dependencies, which creates a disproportionate supply-chain risk for an AI skill even though the capability fits the stated purpose.
Confidence: 100%Severity: 60%
Audit Metadata