skills/iii-hq/workers/opencode/Gen Agent Trust Hub

opencode

Warn

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is designed to spawn the opencode CLI on the host machine, allowing it to execute shell commands and modify files directly in the host directory.
  • [REMOTE_CODE_EXECUTION]: Through the opencode::run function, an LLM can generate and execute shell commands, effectively providing a path for code execution on the underlying host system.
  • [CREDENTIALS_UNSAFE]: The skill requires LLM provider API keys (like ANTHROPIC_API_KEY) to be available on the host or through opencode auth, creating a dependency on sensitive environment secrets.
  • [PROMPT_INJECTION]: The skill exposes an attack surface for indirect prompt injection by processing external data with high-privilege system tools.
  • Ingestion points: Data enters the skill via the prompt and messages arguments in the opencode::run and opencode::start functions.
  • Boundary markers: The skill does not define specific delimiters or instructions to help the agent distinguish between user data and system commands.
  • Capability inventory: The opencode CLI provides the agent with full shell access, host filesystem access, and the ability to trigger other iii bus functions.
  • Sanitization: There is no documentation of input sanitization or filtering applied to the prompts before they are passed to the shell-capable agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 03:11 PM
Security Audit — agent-trust-hub — opencode