Skills
NYC
skills/connorads/dotfiles/opencode-conversation-analysis/Gen Agent Trust Hub

opencode-conversation-analysis

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • DATA_EXFILTRATION (MEDIUM): The skill accesses sensitive local data stored in ~/.local/share/opencode/storage.
  • Evidence: The extract.sh script recursively reads session, message, and part data to reconstruct conversation history.
  • Context: Although this is the primary purpose of the skill, the lack of restricted scope or user confirmation for specific sessions represents a medium-risk exposure of private communications.
  • COMMAND_EXECUTION (LOW): The skill executes a local shell script and utilizes system binaries.
  • Evidence: SKILL.md instructs the agent to run ~/.agents/skills/opencode-conversation-analysis/scripts/extract.sh and uses jq for data processing.
  • PROMPT_INJECTION (LOW): The skill exhibits a significant surface for Indirect Prompt Injection (Category 8).
  • Ingestion points: Historical user messages are read from ~/.local/share/opencode/storage/part/*.json via scripts/extract.sh.
  • Boundary markers: Absent. The subagent prompt in SKILL.md provides no delimiters (e.g., XML tags or triple backticks) to separate the instruction from the untrusted conversation data.
  • Capability inventory: The system executes shell scripts via bash and spawns general subagents that can interpret and act upon instructions found within the data.
  • Sanitization: Absent. The script extracts raw text from historical messages and interpolates it directly into subagent prompts without filtering or escaping.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:21 PM