opencode-acp
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill performs dynamic process replacement and command execution using binaries discovered at runtime.
- Evidence: In
venv_utils.py, theensure_local_skill_venvfunction identifies Python interpreters on the system (via thePATHenvironment variable or theOPENCODE_ACP_PYTHONvariable) and re-executes the current script usingos.execvpewith the resolved path. This pattern of executing code from computed paths is a dynamic execution risk. - Evidence: The scripts
opencode_monitor.py,opencode_realtime.py, andopencode_wrapper.pyuse thesubprocessmodule to execute commands constructed inrunner_utils.py, which targets theopencode_acp_client.pyscript. - PROMPT_INJECTION (LOW): User-supplied task instructions are passed directly to the underlying agent client without validation.
- Evidence: In
opencode_monitor.pyand other entry points, thetaskargument is taken directly fromsys.argv[2]and passed to the agent client. This allows a user to provide malicious instructions that might attempt to override system prompts or bypass safety filters. - INDIRECT_PROMPT_INJECTION (LOW): The skill processes untrusted data from a project directory, which could contain malicious instructions.
- Ingestion points: The
project_dirargument (e.g., inopencode_monitor.py) points to external file content that is processed by the AI client. - Boundary markers: There are no delimiters or safety warnings in the wrapper scripts to isolate the project data from the agent's instruction stream.
- Capability inventory: The skill is capable of executing subprocesses and modifying local files through the ACP client.
- Sanitization: No sanitization or validation of the project directory contents or the task prompt is performed.
Audit Metadata