Security evaluation report for @forgecat/yeachan-heo_oh-my-claudecode_agents v0.1.4
Source Integrity
Safe
Profile is a curated repackaging of upstream open-source agents from Yeachan-Heo/oh-my-claudecode (GitHub public repository, MIT license).
Original repository is publicly available and version-pinned to commit deee3a446dadc9bfea31cdc8b19b00b16718082e (2026-06-09).
No proprietary, closed-source, or untrusted binary dependencies declared; all content is markdown-based agent instructions.
Agent Intent
Safe
Agent instructions are role-based task definitions (analyst, architect, code-reviewer, etc.) with no prompt-injection language, no instructions to ignore system constraints, and no directives to read/exfiltrate credentials.
Agents are designed to read codebase files and documentation as part of their normal function (e.g., architect reads code to analyze, document-specialist reads docs to research), but do not instruct hiding instructions, denying their own purpose, or installing remote payloads.
No guidance poisoning detected: agents recommend standard tools (lsp_diagnostics, git, bash, Read/Grep/Glob) and legitimate practices (SOLID principles, security review checklists, test coverage); no typosquatted packages, backdoored templates, or security-weakening defaults are embedded.
Details
Evidence
analyst.md: 'Read-only: Write and Edit tools are blocked.' — constrains rather than expands authority.
architect.md: 'You are READ-ONLY. Write and Edit tools are blocked. You never implement changes.' — explicit limitation.
code-reviewer.md: 'Never approve code with CRITICAL or HIGH severity issues at HIGH confidence.' — enforces quality gates, not bypasses.
debugger.md: 'Fix with minimal diff. Do not refactor, rename variables, add features, optimize, or redesign.' — constrains scope to root-cause fixes only.
Permissions
PRM-000Caution
Several agents (debugger, designer, code-simplifier) have write/edit tool access and can run Bash commands, which is broader than pure read-only roles but consistent with their stated implementation/fix purposes.
The architect and designer agents can spawn sub-agents via Task() calls referencing other oh-my-claudecode agents, introducing a subagent delegation chain that slightly expands authority beyond a single agent's scope.
No shell tools are declared with alwaysApply=true or wildcard globs, and tool usage is scoped to the described function (e.g., debugger uses Edit only for 'minimal fixes').
Details
Evidence
debugger.md: 'Use Edit for minimal fixes (type annotations, imports, null checks). Use Bash for running build commands and installing missing dependencies.'
architect.md: 'Use Task(subagent_type="oh-my-claudecode:critic", ...) for plan/design challenge'
designer.md: 'Use Write/Edit for creating and modifying components. Use Bash to run dev server or build to verify implementation.'
MCP Risk
Safe
No MCP servers are declared in the profile; all agents use standard Claude Code tools (Read, Write, Edit, Bash, Glob, Grep, lsp_diagnostics, ast_grep_search, WebSearch, WebFetch).
No hidden instructions in tool descriptions; tool usage sections are explicit about what each tool does and when to use it.
No arbitrary binary execution or unrestricted network/filesystem access; bash usage is scoped to project-local operations (git, build commands, lsp checks) or read-only environment inspection.
Details
Evidence
Profile metadata declares: '(none)' for MCP servers.
All tool references are standard Claude Code built-ins with documented constraints (e.g., 'Read-only: Write and Edit tools are blocked' for analyst/architect/code-reviewer/document-specialist).
ForgeCat