OpenCode SDK Development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill provides multiple examples of using the Bun shell (
$) to execute system commands (e.g.,find,python3) using interpolated arguments provided by the user. While Bun's shell implementation provides some protection against simple command injection, the pattern of exposing raw shell access to an LLM-driven tool is inherently high-risk. - Evidence:
await $find ${directory} -name "${pattern}"``.text()inSKILL.md`. - [REMOTE_CODE_EXECUTION] (HIGH): The skill documentation details how the system auto-discovers and executes tools from specific directories (
.opencode/tool/,~/.config/opencode/tool/). If an attacker can influence the agent to write a tool file to these locations (e.g., via a prompt injection or malicious code contribution), they can achieve persistent execution within the OpenCode environment. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill serves as a blueprint for tools that ingest untrusted data and have high-privilege capabilities.
- Ingestion points: Tool arguments (
pattern,directory,file) and plugin hooks (chat.message,event) which process external data. - Boundary markers: Absent in provided templates; instructions do not advise on delimiting untrusted input.
- Capability inventory: Full shell access (
$), filesystem interaction (client.file), and network operations via the SDK client. - Sanitization: Relies entirely on underlying library escaping (Bun) without additional validation or sanitization guidance.
- [DYNAMIC_EXECUTION] (MEDIUM): The skill is centered around the creation of TypeScript files that are dynamically loaded and executed at runtime as tools. The guide lacks security warnings about validating the source or content of the tools being generated or loaded.
Recommendations
- AI detected serious security threats
Audit Metadata