registry  /  opencode-agent-skills-md  /  1.5.0

opencode-agent-skills-md@1.5.0

OpenCode plugin for agent skills — single-package Bun layout.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious package attack surface. At runtime it discovers skills and injects OpenCode session guidance; its explicit script tool can run a selected executable belonging to a discovered skill.

Static reason
No blocking static signals were detected.
Trigger
OpenCode loads the plugin; script execution requires an explicit `run_skill_script` tool invocation.
Impact
Can read discovered skill content and execute an explicitly selected local skill script, but source shows no install-time mutation, exfiltration, remote payload, or stealth persistence.
Mechanism
Skill discovery, session prompt injection, and guarded execution of user/project skill scripts.
Rationale
Static inspection finds a package-aligned OpenCode skills plugin with no lifecycle execution or network/exfiltration behavior. Its local-script capability is explicit, constrained to discovered skill executables, and is not a concrete malicious chain.
Evidence
package.jsonsrc/plugin.tssrc/tools.tssrc/skills.tssrc/claude.tssrc/scripts.tsdist/src/tools.jssrc/host.tssrc/parse.tssrc/preference-hooks.tsdist/src/plugin.jsdist/src/skills.js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/tools.ts` exposes `run_skill_script`, which executes executable files discovered inside user/project skill directories.
  • `src/plugin.ts` injects synthetic skill guidance into OpenCode chat sessions and can modify native tool descriptions when an opt-in environment flag is set.
  • `src/skills.ts` and `src/claude.ts` read configured project and `~/.claude` skill/plugin directories.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • No package code uses network clients/endpoints, credential harvesting, dynamic code loading, or destructive filesystem APIs.
  • `run_skill_script` requires an explicit tool call, restricts scripts to discovered executable files, quotes arguments, and applies a timeout.
  • `src/tools.ts` realpath-checks requested skill files to prevent reads outside a selected skill directory.
  • The shipped `dist/src/*.js` maps to the included TypeScript sources; no extra binary/native artifacts were found.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 144 KB of source

Source & flagged code

3 flagged · loading source
src/tools.tsView file
Published source reference
Low
Ai Review Evidence

`src/tools.ts` exposes `run_skill_script`, which executes executable files discovered inside user/project skill directories.

src/tools.tsView on unpkg
src/plugin.tsView file
Published source reference
Low
Ai Review Evidence

`src/plugin.ts` injects synthetic skill guidance into OpenCode chat sessions and can modify native tool descriptions when an opt-in environment flag is set.

src/plugin.tsView on unpkg
src/skills.tsView file
Published source reference
Low
Ai Review Evidence

`src/skills.ts` and `src/claude.ts` read configured project and `~/.claude` skill/plugin directories.

src/skills.tsView on unpkg

Findings

1 Medium6 Low
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowAi Review Evidencesrc/tools.ts
LowAi Review Evidencesrc/plugin.ts
LowAi Review Evidencesrc/skills.ts