The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill provides plugins with access to Bun's shell API ($), which allows for the execution of arbitrary shell commands. • Evidence: The context object documentation in SKILL.md explicitly includes $ for 'executing commands'. • Evidence: An example in SKILL.md shows using $ to run osascript for notifications.
REMOTE_CODE_EXECUTION (HIGH): The plugin system enables loading code from local directories and external npm packages. • Evidence: Documentation in SKILL.md describes loading plugins from ~/.config/opencode/plugin/ and project-local directories. • Evidence: The system automatically executes bun install for dependencies defined in .opencode/package.json.
EXTERNAL_DOWNLOADS (HIGH): The skill facilitates the download and installation of unverified third-party packages at runtime. • Evidence: The 'Dependencies' section in SKILL.md confirms that OpenCode installs npm packages at startup.
PROMPT_INJECTION (HIGH): The skill describes an architecture vulnerable to indirect prompt injection where plugins can intercept and modify tool executions and session prompts based on untrusted data. • Ingestion points: tool.execute.before, event handler, and experimental.session.compacting hooks in SKILL.md. • Boundary markers: Absent in the documentation. • Capability inventory: Plugins have shell access ($), AI interaction (client), and file system access (directory, worktree) as defined in the context object. • Sanitization: Absent; the provided example of blocking .env is a recommendation, not a system-level enforcement.

writing-plugins