There are worse things to mention about OneCLI as it looks like a completely vibe-coded mess, seeing that CLAUDE.md and Claude itself being one of the contributors [0]
Perhaps the most damning discovery is that they don't even do basic dependency pinning [1] [2] which just risks another supply chain attack.
As soon as I saw that, that was everything I needed to know about the project. No security audit whatsoever and Bitwarden believes this is something worth integrating.
Having agents contribute to a tool designed for agentic coding is thoroughly unsurprising - if anything, your contributor link showing that 873 LoC were written by Claude, in a project with tens of thousands of lines contributed, seems to show far fewer agentic contributions than I would normally expect. It seems far from vibe coded looking at those stats alone.
The lack of package pinning is unfortunate but common enough that I'd simply open a ticket (& expect them to address it) rather than writing off the entire project.
The lack of a security audit for a project this young is also unsurprising & hardly notable.
Perhaps the most damning discovery is that they don't even do basic dependency pinning [1] [2] which just risks another supply chain attack.
As soon as I saw that, that was everything I needed to know about the project. No security audit whatsoever and Bitwarden believes this is something worth integrating.
[0] https://github.com/onecli/onecli/graphs/contributors
[1] https://github.com/onecli/onecli/blob/main/packages/ui/packa...
[2] https://github.com/onecli/onecli/blob/main/packages/db/packa...