The Agent Skills Directory

[COMMAND_EXECUTION]: The helper script scripts/query.sh contains several SQL injection vulnerabilities where user-supplied arguments are directly interpolated into SQL command strings without sanitization. For example, the search command uses LIKE '%${ARG}%' and the read, tools, stats, and export commands use m.session_id = '${ARG}'. Although the script uses the -readonly flag with sqlite3, this vulnerability allows an attacker to manipulate the queries to extract any data from the database, bypassing intended filters.\n- [DATA_EXFILTRATION]: The skill instructions and scripts target the sensitive local file path ~/.local/share/opencode/opencode.db. This database contains private user information, including full conversation histories, message metadata, and tool outputs. Accessing local application state of this nature constitutes a significant data exposure risk if the agent's actions are not strictly monitored.\n- [PROMPT_INJECTION]: The skill introduces an indirect prompt injection surface by reading and processing untrusted historical data from the local SQLite database.\n
Ingestion points: The read, tools, and export functions in scripts/query.sh, as well as the conversation retrieval queries in SKILL.md, ingest message content from the message and part tables.\n
Boundary markers: Absent. The queries retrieve raw text content from the database and present it to the agent without instructions to ignore potential commands embedded in the history.\n
Capability inventory: The skill allows the agent to execute shell commands (via sqlite3 and scripts/query.sh) and potentially perform follow-up actions based on the retrieved data.\n
Sanitization: Absent. The skill does not perform any validation, escaping, or filtering of the text content retrieved from the database before it is processed by the AI.

opencode-session-db