Trust Assessment
opencode-acp-control received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 4 critical, 0 high, 0 medium, and 1 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Unsanitized `workdir` leads to command injection in `bash` calls.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/studio-hakke/opencode-acp-control-2/SKILL.md:279 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/studio-hakke/opencode-acp-control-2/SKILL.md:279 | |
| CRITICAL | Unsanitized `workdir` leads to command injection in `bash` calls The skill's `resumeSession` workflow constructs `bash` commands by directly concatenating a `workdir` variable into the command string (e.g., `"opencode acp --cwd " + workdir`). If `workdir` is derived from untrusted user input, a malicious string (e.g., `"; rm -rf /; #"`) could be injected, leading to arbitrary command execution on the host system. The `opencode session list` command also uses `workdir` in a similar fashion, posing the same risk. Ensure `workdir` is strictly validated and sanitized to prevent shell metacharacters. Ideally, use a tool that accepts `cwd` as a separate, safe parameter rather than concatenating it into the command string. If concatenation is unavoidable, escape all shell metacharacters before execution. | LLM | SKILL.md:160 | |
| CRITICAL | OpenCode ACP granted `fs` and `terminal` capabilities, risking arbitrary file/command execution via JSON-RPC The skill explicitly configures the OpenCode Agent Client Protocol (ACP) connection with `clientCapabilities` for `fs.readTextFile`, `fs.writeTextFile`, and `terminal` access. The agent is then instructed to send JSON-RPC messages, including user prompts, to this OpenCode process via `process.write`. If untrusted user input can be crafted into a JSON-RPC message (e.g., by injecting a malicious method call or parameters into the `session/prompt` data), the OpenCode process could be coerced into reading/writing arbitrary files or executing arbitrary terminal commands on the host system, leading to data exfiltration, data corruption, or full system compromise. 1. **Principle of Least Privilege**: Re-evaluate if `fs` and `terminal` capabilities are strictly necessary for the skill's intended function. Disable them if not. 2. **Input Sanitization**: Implement robust sanitization and validation for all user-provided input that is incorporated into JSON-RPC messages sent to OpenCode. Ensure that user input cannot introduce new JSON-RPC methods or manipulate existing parameters to perform unauthorized actions. 3. **Protocol-level Security**: If possible, configure OpenCode itself to restrict or log `fs` and `terminal` operations initiated via ACP. | LLM | SKILL.md:70 | |
| LOW | `process.list()` can expose sensitive system process information The `updateOpenCode` function uses `process.list()` to identify running OpenCode processes. While intended for internal management, the output of `process.list()` typically contains details about all running processes (PIDs, commands, users, etc.). If this output is inadvertently exposed to an untrusted user (e.g., in a verbose log or a debugging response), it could lead to the leakage of sensitive system information about the host environment. Ensure that the output of `process.list()` is never exposed to untrusted users. Filter the output to only include necessary information (e.g., `sessionId` for OpenCode processes) before any potential exposure. | LLM | SKILL.md:200 |
Scan History
Embed Code
[](https://skillshield.io/report/c7aeb8b8d33afdd9)
Powered by SkillShield