opencode-conversation-analysis
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive conversation history stored in ~/.local/share/opencode/storage. It writes this data to the /tmp/opencode-analysis/ directory. On many multi-user systems, /tmp is world-readable, which can expose private messages and technical details to other users or unauthorized processes.\n- [COMMAND_EXECUTION]: The skill executes local shell scripts (extract.sh) that use tools like find, cat, and jq to aggregate data from many files. While the script paths are specific to the skill installation, the intensive use of shell pipelines on user-generated content requires caution to ensure no unintended execution occurs if the underlying data structure is compromised.\n- [PROMPT_INJECTION]: The skill possesses a significant surface for indirect prompt injection because it processes historical user messages and passes them to subagents without proper isolation.\n
- Ingestion points: Data is extracted from local session, message, and part files via scripts/extract.sh.\n
- Boundary markers: The subagent prompt template in SKILL.md lacks clear delimiters (e.g., XML tags) and does not explicitly instruct the agent to ignore any commands found within the message text.\n
- Capability inventory: The skill uses bash and jq for extraction and spawns multiple subagents via the Task tool to perform analysis.\n
- Sanitization: There is no evidence of sanitization, escaping, or filtering of the message content before it is processed by the AI subagents.
Audit Metadata