The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documents the use of dynamic context injection (via the !cmd syntax) which allows the agent to execute shell commands and include the output in its prompt context. This capability can be misused to run arbitrary and potentially malicious commands on the host system.
[DATA_EXFILTRATION]: Documentation of the @filename placeholder describes a feature for reading local file contents into the agent's context. This presents a high risk of sensitive data exposure if used to read private files like SSH keys or environment configurations.
[COMMAND_EXECUTION]: The skill defines a high-risk attack surface by teaching the use of user-supplied argument placeholders ($1, $ARGUMENTS) within command templates. When these placeholders are used inside shell command backticks, it creates a direct command injection vulnerability if the input is not sanitized.
[COMMAND_EXECUTION]: An indirect prompt injection surface is created by the ingestion of untrusted user input into templates. 1. Ingestion points: User-provided arguments ($1, $ARGUMENTS) defined in SKILL.md. 2. Boundary markers: No delimiters or instructions are suggested to separate user input from the command logic. 3. Capability inventory: The system supports shell execution (via !cmd) and file reading (via @file). 4. Sanitization: There is no documentation or built-in mechanism provided to sanitize or escape user arguments before they are interpolated into executable shell contexts.

opencode-commands