customizing-opencode
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill documentation describes variable substitution features (
{env:VAR}and{file:PATH}) that allow the system to read sensitive environment variables and arbitrary local files into the AI's context. If a project-levelopencode.jsonis modified by an attacker, this can be used to leak credentials (e.g., AWS keys, SSH keys). - [REMOTE_CODE_EXECUTION] (HIGH): OpenCode supports executing custom tools and plugins written in TypeScript (
.ts) located in project directories. This capability, combined with the ability to load configuration from remote sources (.well-known/opencode), creates a direct path for remote code execution if the platform does not strictly sandbox these executions. - [EXTERNAL_DOWNLOADS] (MEDIUM): The configuration allows for 'Remote .well-known/opencode' and npm-based plugins. Loading configuration or code from external, untrusted domains is a high-risk pattern that can be used to compromise the local environment.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill processes external content (project files, remote configs) while possessing high-privilege capabilities (custom tools, plugins, MCP servers).
- Ingestion points: Reads
opencode.json,AGENTS.md, and remote.well-knownfiles. - Boundary markers: None mentioned in the configuration schema.
- Capability inventory: Execution of TypeScript tools, plugins, and MCP server integrations.
- Sanitization: No mention of sanitizing file paths or environment variable keys before substitution.
Recommendations
- AI detected serious security threats
Audit Metadata