The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/scan-all.sh uses eval to execute conditions and directly invokes other skill scripts from hardcoded paths in the user's home directory (e.g., ~/.config/opencode/skill/security-ai-keys/scripts/scan.sh). This assumes a specific filesystem structure and relies on the presence of other external scripts which may have been modified or could be malicious. While intended for a modular architecture, cross-skill script execution from user-writable paths introduces a risk of executing unintended or untrusted code if those paths are compromised.

security-secrets