opencode
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs users to modify their shell configuration file (
~/.zshrc) by appending a PATH export. Modifying shell profiles is a persistence mechanism that can be abused to execute arbitrary commands during session startup. - [COMMAND_EXECUTION]: The installation guide (
INSTALL.md) recommends usingsudofor copying files and modifying system-level ownership/permissions. Recommending elevated privileges for skill installation increases the potential impact of any malicious components within the toolchain. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted external data.
- Ingestion points: The
opencode prcommand fetches data from external GitHub Pull Requests, and theopencode run -fcommand reads the content of local files. - Boundary markers: The skill lacks explicit delimiters or instructions to the AI agent to ignore potentially malicious instructions embedded within the ingested data.
- Capability inventory: The skill provides access to
opencode, an AI-native code editor with high-privilege capabilities including file modification, code execution, and starting a web server viaopencode web. - Sanitization: There is no evidence of sanitization, validation, or filtering of the external content before it is processed by the AI models.
Audit Metadata