CreateSkill
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs extensive file system operations using shell commands such as mkdir, touch, cp, mv, find, and grep within the local ~/.opencode/skills/ directory.
- [COMMAND_EXECUTION]: The workflows execute curl to send POST notifications to a local endpoint at http://localhost:8888/notify.
- [COMMAND_EXECUTION]: The ValidateSkill workflow executes local TypeScript files using the bun command with the --help flag.
- [PROMPT_INJECTION]: The skill uses highly directive language including 'MANDATORY', 'CRITICAL', and 'REQUIRED FIRST' to override standard AI behavior and enforce specific structural protocols.
- [PROMPT_INJECTION]: A vulnerability to indirect prompt injection exists because the skill reads content from the ~/.opencode/skills/ directory and interpolates user-provided descriptions and triggers into newly generated workflows without sanitization. Evidence: 1. Ingestion points: Reads from ~/.opencode/skills/ and SkillSystem.md. 2. Boundary markers: Absent when reading and processing local files. 3. Capability inventory: Performs shell execution, file writes, and local network requests. 4. Sanitization: No validation or escaping of user input or ingested file content.
Audit Metadata