opencode

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill's documentation shows that skills are discovered from external dirs and arbitrary URLs (e.g., "Global external dirs", "Project external dirs", and "URL downloads: From opencode.jsonc skills.urls") and that when a skill is loaded the full SKILL.md body is injected into the agent context and can influence behavior, so untrusted third‑party content can be fetched and drive agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). opencode.jsonc supports fetching SKILL.md from external addresses via the skills.urls setting, and any URL listed there is downloaded at runtime and its SKILL.md content is injected into agent context (directly controlling prompts), so external URLs configured in opencode.jsonc's skills.urls are a high-risk vector.