command-creator

The document itself is a benign specification describing how to author Pi and OpenCode command templates. However, the OpenCode features it documents (arbitrary shell output injection via backticks and arbitrary file inclusion via @) create high-risk data exfiltration and command-execution vectors if the agent/runtime executes template content without strict safeguards. The inconsistent frontmatter (disable-model-invocation: true) adds confusion about whether remote model invocation is actually allowed. Overall this skill specification increases attack surface: malicious or careless templates can read sensitive files and send their contents to external models, or run arbitrary shell commands. The fragment is not itself malware, but it enables dangerous behaviors and should be treated as medium-high risk unless the runtime enforces sandboxing, whitelisting, and explicit user consent for shell/file inclusions.