opencode-cli
Fail
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: Recommends an automated installation via
curl -fsSL https://opencode.ai/install | bash, which pipes a remote script from an untrusted domain directly into the shell for execution. - [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: Recommends the installation of external packages from
npm(opencode-ai) and Homebrew (anomalyco/tap/opencode) that are not from recognized trusted vendors. - [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill explicitly provides patterns for the agent to use
exec()to run shell commands, facilitating arbitrary command execution. - [DATA_EXPOSURE_AND_EXFILTRATION]: The
opencodetool features a file attachment flag (-f) that allows the agent to read local files, such assrc/config.ts, and send their contents to external LLM providers, posing a risk of sensitive data exposure. - [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates untrusted prompts and file content into CLI commands without security boundaries or sanitization.
- Ingestion points: Prompt arguments and file attachments in
SKILL.md(e.g.,opencode run "..."). - Boundary markers: Absent; there are no delimiters to separate instructions from user-provided data.
- Capability inventory: Direct shell command execution via
exec()for various delegated tasks. - Sanitization: No input validation, escaping, or filtering of external content is specified.
Recommendations
- HIGH: Downloads and executes remote code from: https://opencode.ai/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata