reflect

Warn

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using bun -e to query a local SQLite database. This pattern involves running dynamically constructed JavaScript code, which could be exploited for command injection if session identifiers or other database-derived data are not properly handled when passed to the shell.
  • [DATA_EXFILTRATION]: The skill accesses a local SQLite database containing sensitive conversation history at a hardcoded path: /home/mhenke/.local/share/opencode/opencode.db. Accessing this database exposes private user data to the agent, and the hardcoded path revealing a specific username represents an information leak and a security best-practice violation.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes historical conversation messages from the database. These messages are untrusted and could contain malicious instructions designed to hijack the agent's behavior.
  • Ingestion points: Session messages retrieved from the data column of the message table in opencode.db (SKILL.md).
  • Boundary markers: Absent. The skill lacks instructions to treat retrieved session data as untrusted or to use isolation markers.
  • Capability inventory: Shell command execution via bun and the ability to modify agent instructions, skills, and configurations (SKILL.md).
  • Sanitization: Absent. No logic is provided to sanitize or validate retrieved message content before it is processed by the AI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 5, 2026, 01:36 AM
Security Audit — agent-trust-hub — reflect