opencode-conversation-recall
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
opencode dbcommand-line utility to perform database operations, including retrieving paths and running SQL queries. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it retrieves and processes historical conversation content.
- Ingestion points: Conversation text is ingested from the
parttable via SQL queries inSKILL.md. - Boundary markers: No delimiters or instructions are specified to prevent the agent from following commands embedded in the retrieved historical text.
- Capability inventory: The agent has the ability to execute database commands via
opencode db. - Sanitization: There is no evidence of sanitization or filtering of the retrieved chat history before it is processed by the agent.
- [DATA_EXFILTRATION]: The skill accesses sensitive information, including full conversation histories, project IDs, and local directory paths stored in the SQLite database.
- [COMMAND_EXECUTION]: The workflow for searching and reading specific sessions uses string interpolation for
SEARCH_TERMandSESSION_ID, creating a surface for SQL injection against the local database if inputs are not properly escaped by the agent.
Audit Metadata