opencode-config

This skill fragment is a documentation/configuration helper and does not contain executable malicious code. The main risks are operational: (1) substituting environment variables or file contents may expose sensitive data into effective configs if users store secrets insecurely, (2) accepting remote .well-known configuration without integrity checks can allow an attacker to override local behavior, and (3) executing an external validation script (scripts/validate-config.sh) not present in this fragment could be dangerous depending on its contents. Recommend: treat remote config as untrusted unless integrity is verified, avoid placing secrets in files/env vars used for substitution, and review any referenced scripts before execution. Overall risk is low-to-moderate but depends on deployment practices.