opencode
Warn
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to spawn the
opencodeCLI on the host machine, allowing it to execute shell commands and modify files directly in the host directory. - [REMOTE_CODE_EXECUTION]: Through the
opencode::runfunction, an LLM can generate and execute shell commands, effectively providing a path for code execution on the underlying host system. - [CREDENTIALS_UNSAFE]: The skill requires LLM provider API keys (like
ANTHROPIC_API_KEY) to be available on the host or throughopencode auth, creating a dependency on sensitive environment secrets. - [PROMPT_INJECTION]: The skill exposes an attack surface for indirect prompt injection by processing external data with high-privilege system tools.
- Ingestion points: Data enters the skill via the
promptandmessagesarguments in theopencode::runandopencode::startfunctions. - Boundary markers: The skill does not define specific delimiters or instructions to help the agent distinguish between user data and system commands.
- Capability inventory: The
opencodeCLI provides the agent with full shell access, host filesystem access, and the ability to trigger otheriiibus functions. - Sanitization: There is no documentation of input sanitization or filtering applied to the prompts before they are passed to the shell-capable agent.
Audit Metadata