OpenCode CLI API Controller

Security checks across malware telemetry and agentic risk

Overview

The skill coherently controls a local OpenCode server for coding automation, with expected file-changing authority and no evidence of hidden exfiltration or malicious behavior.

Install only if you intend to let an agent drive OpenCode on your projects. Keep the OpenCode server on 127.0.0.1 when possible, avoid exposing it on shared networks without authentication, review the configured BASE_URL before use, and treat saved state, event logs, prompts, paths, and diffs as sensitive project data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill presents a restrictive safety boundary by saying the agent is explicitly prohibited from reading source code directly, but later includes direct file-content retrieval via API endpoints. Conflicting instructions can bypass user expectations and safety controls by reframing source access as an API operation rather than direct file reading.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The skill claims file operations should be delegated to OpenCode and that only status or diff summaries should be checked, but later instructs the orchestrator to list directories and fetch file contents itself. This inconsistency weakens operational safeguards and makes it easier for an agent to overreach into local project data under the guise of orchestration.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The examples instruct users to create directories, create/load sessions, and send prompts that can cause AI-driven code generation and file modifications, but they do not clearly warn that these actions will write to the filesystem and alter project contents. In a skill specifically designed to remotely control a CLI via a local web server API, this omission increases the chance of unintended changes to user files or running destructive operations in the wrong project directory.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide encourages real-time monitoring, raw SSE consumption, and redirecting output to log files without warning that the stream may contain sensitive session data such as generated code, file-change details, prompts/responses, and token or cost metadata. In a local-network remote-control skill, this omission can lead users to expose or retain sensitive information in terminal history, shared logs, or insecure filesystems, increasing the risk of unintended data disclosure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation shows API keys being placed directly into CLI config and environment variables without any warning about credential handling, redaction, or avoiding committed config files. In a skill centered on remote CLI control and local web server automation, normalized insecure secret-handling guidance increases the chance that users expose long-lived provider credentials through shell history, config files, logs, or source control.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The usage criteria are broad enough to apply to many generic coding, debugging, and project-management requests, which can cause the skill to be invoked in situations where users did not clearly consent to remote orchestration through a local API. Overbroad triggers increase the chance of unnecessary file modification, session creation, and data transmission to the local service.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The description emphasizes orchestration and status reporting but does not clearly warn that OpenCode may create and modify project files on the user's behalf. Users may interpret the skill as observational or supervisory only, when in practice it can trigger substantive changes to codebases and project directories.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill advertises control over a local web server API in the local network but omits a clear warning that prompts, file paths, project metadata, and possibly source content may be transmitted over an unauthenticated local service. In combination with the later statement that password authentication is not used by default, this creates significant confidentiality and misuse risk on shared or untrusted networks.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script sends the local project path as a query parameter to a web server endpoint, which exposes filesystem structure information over the network. In this skill's context, the API is explicitly intended for remote control on the local network, so leaking local paths to the server is more sensitive because it reveals workspace locations and can aid further targeting, logging exposure, or unauthorized session correlation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends the local project path to a web server endpoint as a query parameter without any notice, consent prompt, or minimization. Even if the API is intended to be local-network reachable, filesystem paths can reveal usernames, repository names, customer identifiers, or sensitive directory structure, and query parameters are especially prone to logging by servers, proxies, and shell history.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends both the user-supplied message and the local project path to a server endpoint derived from BASE_URL, but provides no validation that the endpoint is trusted and no user-facing disclosure that potentially sensitive local metadata is being transmitted. In the context of a skill designed for remote CLI control over a local network, this increases the risk of inadvertent data exposure, especially if BASE_URL is configured to use plain HTTP or points to an unintended host.

External Transmission

Medium

Category: Data Exfiltration
Content: # Create session RESPONSE=$(curl -s -X POST "$BASE_URL/session?directory=$PROJECT_PATH" \ -H "Content-Type: application/json" \ -d "{\"title\": \"$TITLE\"}")
Confidence: 95% confidence
Finding: curl -s -X POST "$BASE_URL/session?directory=$PROJECT_PATH" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: fi # Send message RESPONSE=$(curl -s -X POST \ "$BASE_URL/session/$SESSION_ID/message?directory=$PROJECT_PATH" \ -H "Content-Type: application/json" \ -d "$REQUEST_BODY")
Confidence: 96% confidence
Finding: curl -s -X POST \ "$BASE_URL/session/$SESSION_ID/message?directory=$PROJECT_PATH" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal