Skills
skills/igorwarzocha/opencode-workflows/security-secrets/Gen Agent Trust Hub

security-secrets

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • COMMAND_EXECUTION (HIGH): The scripts/scan-all.sh script is vulnerable to shell command injection via the $DIR parameter. It uses eval to process a condition string built from this unsanitized input. An attacker can execute arbitrary commands by providing a directory name containing shell metacharacters (e.g., '; touch /tmp/pwned; #').
  • CREDENTIALS_UNSAFE (HIGH): The scripts/scan.sh script prints the raw, unredacted lines containing detected secrets directly to standard output. While the SKILL.md specifies a mandatory redaction format (showing only the first and last 4 characters), the implementation uses grep or ripgrep to output the full secret, leading to sensitive data exposure in the agent's logs.
  • COMMAND_EXECUTION (MEDIUM): scripts/scan-all.sh attempts to execute scripts from hardcoded paths in the user's home directory (~/.config/opencode/skill/). This creates a dependency on external files and could lead to the execution of untrusted code if an attacker can manipulate files in those locations.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:18 PM