The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The reference file references/plugins/llm-api-key-proxy.md directs users to download binary releases from an unverified GitHub repository (github.com/Mirrowel/LLM-API-Key-Proxy).
[REMOTE_CODE_EXECUTION]: Installation instructions for external tools include granting execution permissions to binaries (chmod +x proxy_app && ./proxy_app) and running source code from unverified external repositories (python src/proxy_app/main.py), which allows arbitrary code execution.
[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands to manage plugins, run local Python scripts (list_plugins.py), and delete local cache directories (rm -rf ~/.cache/opencode/...).
[CREDENTIALS_UNSAFE]: The documentation for the LLM Proxy tool instructs users to store sensitive API keys for multiple providers (OpenAI, Anthropic, Gemini) in a plain-text .env file and use an external credential tool for OAuth authentication, creating a high risk of credential exposure.
[DATA_EXFILTRATION]: Encouraging users to route all LLM traffic through an unverified third-party proxy (LLM-API-Key-Proxy) introduces a significant risk that all prompts, responses, and API credentials will be exfiltrated to the proxy operator.
[PROMPT_INJECTION]: Multiple plugin descriptions (e.g., opencode-openai-codex-auth.md, llm-api-key-proxy.md, and pickle-thinker.md) contain deceptive claims about supporting non-existent models like 'GPT 5.2', 'Claude 4.5', and 'GLM-4.6'. This is a known social engineering pattern used to lure users into installing malicious software.
[PROMPT_INJECTION]: The workflow for adding new plugins in SKILL.md is vulnerable to indirect prompt injection. It instructs the agent to gather data from external websites or registries and save it into new markdown files that are later processed by the agent, potentially persisting malicious instructions into the system's local catalog.

plugin-installer