permission-manager
Fail
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to manage and modify the 'always-allow' command list in the
opencode.jsonconfiguration file. This allows it to authorize specific shell commands for execution without user approval, creating a pathway for potential abuse by enabling high-risk operations to run silently. - [CREDENTIALS_UNSAFE]: The skill accesses sensitive security configuration files located at
~/.config/opencode/opencode.json. These files contain the authorization policies for the agent, and their modification represents a high-privilege operation that affects the entire execution environment. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by reading project-level
opencode.jsonfiles that may originate from untrusted sources (such as a cloned repository). - Ingestion points: Project-level
opencode.jsonfiles in the working directory. - Boundary markers: Absent; the skill does not use specific delimiters or instructions to ignore instructions embedded within the configuration data.
- Capability inventory: The skill can modify host-level security configurations and permission mappings.
- Sanitization: No validation logic is present to ensure that commands being added to the allow-list are free from malicious payloads or injection attempts.
Recommendations
- AI detected serious security threats
Audit Metadata