The Agent Skills Directory

[COMMAND_EXECUTION]: Vulnerability in scripts/spawn.sh allowing arbitrary Python code execution on the host machine. The script uses an unquoted bash heredoc to pass shell variables into a Python snippet without escaping. A crafted prompt can terminate the intended Python string and execute arbitrary commands.
Evidence: In scripts/spawn.sh (lines 122-127), the $PROMPT shell variable is interpolated directly into a Python script block within a heredoc. Because the heredoc delimiter PY is not quoted (unlike other instances in the same script), the shell expands the variable before Python sees it. This allows an attacker to provide a prompt containing characters like "); ... # to break out of the string literal and execute arbitrary Python code.
[DATA_EXFILTRATION]: Exposure of sensitive credentials via shared environment configuration. The skill captures the lead agent's environment context, including the path to the main OpenCode configuration file (OPENCODE_CONFIG), and propagates it to all teammate agents. This configuration file typically contains sensitive authentication tokens or API keys.
Evidence: scripts/team.py (lines 86-125) identifies and captures sensitive environment variables including OPENCODE_CONFIG. scripts/spawn.sh (lines 231-283) then reconstructs this environment for teammate processes. Since teammates are also LLM-driven agents, they could be instructed or compromised to read these sensitive files, leading to credential theft.

opencode-teammates