The Agent Skills Directory

[Data Exposure] (MEDIUM): Accesses a sensitive SQLite database at ~/.opencode/opencode.db which contains private session history, messages, and file change tracking.
Evidence: The skill explicitly instructs the agent to read from ~/.opencode/opencode.db and identifies tables like sessions, messages, and history.
Severity Note: Originally HIGH, but downgraded to MEDIUM as this access is the primary intended purpose of the core context skill.
[External Downloads] (MEDIUM): Downloads and updates code from an untrusted GitHub organization.
Evidence: git clone https://github.com/anomalyco/opencode and git -C vendor/opencode pull target anomalyco, which is not on the list of trusted organizations.
[Command Execution] (MEDIUM): Executes shell commands that interpolate user input directly into a CLI tool.
Evidence: opencode -p "your prompt" -f json -q allows for command injection if the user prompt is not properly sanitized.
[Indirect Prompt Injection] (LOW): The skill possesses a surface for indirect prompt injection by processing external data and local history without explicit sanitization.
Ingestion points: Reads from ~/.opencode/opencode.db and external code in vendor/opencode.
Boundary markers: Absent; there are no instructions to ignore embedded commands in the database or files.
Capability inventory: Subprocess calls via pnpm, git, and opencode (SKILL.md).
Sanitization: Absent; no validation or escaping logic is described for data retrieved from the database or external repository.

openwork-core