opencode-orchestrator
Fail
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions that explicitly mandate an override of the agent's default delegation and routing behavior. It states that this skill's routing authority "takes precedence over the caller's generic delegation defaults" and that the "caller's generic routing defaults are overridden" while certain tools are reachable. This is an attempt to hijack the agent's core decision-making logic.
- [COMMAND_EXECUTION]: The
SKILL.mdfile employs dynamic context injection using the!bashsyntax to execute a shell script (check-opencode-snapshot.sh) when the skill is loaded. This script further triggers the execution of a Node.js script (opencode-companion.mjs) located in the user's home directory. This enables silent, automated execution of arbitrary code within the user's environment. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from the output of external scripts and uses it to shape the agent's behavior without proper delimiters or validation.
- Ingestion points: The
SKILL.mdfile via the dynamic injection of thecheck-opencode-snapshot.shoutput. - Boundary markers: None; the output of the shell script is directly interpolated into the instruction set.
- Capability inventory: The agent is instructed to use the injected status information to determine whether to route all implementation, planning, and review tasks to an external execution environment ("OpenCode").
- Sanitization: None; the skill relies on the raw output of a local script to establish its "Routing authority".
Recommendations
- AI detected serious security threats
Audit Metadata