opencode-ts
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The documented 'ReadTool' in
references/tool-module.mdautomatically resolves and injects instructions fromAGENTS.mdfiles located in parent directories of files being read. This design feature creates a surface for indirect prompt injection, where an attacker-controlled repository could influence agent behavior through hidden instruction files. - Ingestion points:
InstructionPrompt.resolvetriggered automatically when reading files. - Capability inventory: Access to
BashTool,ReadTool,WriteTool, andTaskToolfor codebase manipulation. - Boundary markers: Instructions are resolved per-messageID to limit scope, but no explicit sanitization of embedded instructions is described.
- [COMMAND_EXECUTION]: The skill documents the architecture and use of powerful shell and filesystem tools for codebase manipulation.
references/helpers-deep-dive.mddescribes theArchive.extractZiputility which executes PowerShell commands (Expand-Archive) on Windows andunzipon Unix-like systems.references/architecture.mdandreferences/tool-module.mddescribe theBashTool, which provides the agent with the ability to execute arbitrary shell commands in the project environment.references/helpers-deep-dive.mddescribes aProcessutility usingcross-spawnto launch child processes with support for piping and custom environment variables.- [DATA_EXFILTRATION]: The architecture includes documentation for tools that can access sensitive data and perform network operations.
references/tool-module.mddescribes theReadToollogic for identifying and requesting permission to read sensitive.envfiles.references/architecture.mdlistsWebFetchToolandWebSearchToolalongside filesystem tools, providing a potential path for data exfiltration if the agent's logic is subverted through indirect injection.
Audit Metadata