Trust Assessment
opencode-acp-control received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Command Injection via 'workdir' parameter in bash calls.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bjesuiter/opencode-acp-control/SKILL.md:279 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/bjesuiter/opencode-acp-control/SKILL.md:279 | |
| HIGH | Command Injection via 'workdir' parameter in bash calls The skill instructs the agent to use the `bash` tool with a `workdir` parameter. If the value for `workdir` is derived from untrusted input (e.g., user-provided project path), it could lead to command injection or path traversal. An attacker could craft a malicious `workdir` value (e.g., `'; rm -rf /'`) to execute arbitrary commands or access restricted directories. The `resumeSession` pseudo-code explicitly shows `workdir` as a variable passed to `bash` commands, indicating it's not always a hardcoded safe path. Ensure that any `workdir` parameter passed to `bash` commands is strictly validated and sanitized, or derived only from trusted sources. If user input is involved, it must be escaped or validated against a whitelist of allowed paths. Consider using a more constrained tool if `workdir` is meant to be user-controlled. | LLM | SKILL.md:30 | |
| HIGH | Excessive Permissions: Broad tool access and declared capabilities The skill extensively uses the `bash` and `process` tools, granting the agent broad system command execution and process management capabilities. Furthermore, the `initialize` step explicitly declares `fs.readTextFile`, `fs.writeTextFile`, and `terminal` capabilities for the `opencode` process. This means the `opencode` application, when run by the agent, is intended to have powerful filesystem and terminal access. If `opencode` itself has vulnerabilities or is misused, these declared capabilities could be exploited for data exfiltration, arbitrary file modification, or command execution. Review the necessity of `bash` and `process` tools for all operations. If possible, use more granular or sandboxed tools. For `opencode` capabilities, ensure that `fs.readTextFile`, `fs.writeTextFile`, and `terminal` access are strictly necessary and that `opencode` itself is a trusted and secure application. Implement strict input validation and output sanitization for any data exchanged with `opencode`. | LLM | SKILL.md:20 | |
| MEDIUM | Supply Chain Risk: Recommendation of 'curl | bash' for updates The skill's documentation suggests a manual update method using `curl -fsSL https://opencode.dev/install | bash`. This practice is inherently risky as it pipes a script directly from a remote server to a shell for execution without prior inspection. If the `opencode.dev` domain or the hosted script were compromised, it could lead to arbitrary code execution on the system running the agent, posing a significant supply chain risk. Avoid recommending `curl | bash` for updates. Instead, suggest more secure update mechanisms such as package managers, signed binaries, or a multi-step process that allows users to inspect the script before execution. If `curl | bash` is deemed unavoidable, strongly advise users to review the script content before executing it. | LLM | SKILL.md:200 |
Scan History
Embed Code
[](https://skillshield.io/report/39631aff29d2b031)
Powered by SkillShield