The Agent Skills Directory

Persistence Mechanisms (MEDIUM): As documented in SKILL.md and README.md, the skill allows for overriding built-in agent commands like /init by placing markdown files in global configuration directories. This capability can be exploited to hijack standard agent behavior or maintain persistence across sessions.
Dynamic Execution (MEDIUM): The script scripts/create-command.py is vulnerable to path traversal because the name argument is not sanitized before being used to construct a file path (base_dir / f"{name}.md"). An agent or malicious template could provide an absolute path or parent directory references to write files outside of the intended .opencode/commands/ directory.
Indirect Prompt Injection (LOW): The skill defines a system for creating commands that interpolate user-provided arguments ($ARGUMENTS) directly into templates that often include shell execution blocks (!`command`) and file reading (@file). Ingestion points: $ARGUMENTS and positional placeholders in SKILL.md. Boundary markers: Absent; no delimiters or warnings are used in the suggested template structures. Capability inventory: Shell execution and file reading via @ and ! markers. Sanitization: Absent; the creation script and instructions do not provide input validation or escaping mechanisms.

opencode-command-creator