Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- opencode/plugins/inner-os.js:106
- Evidence
return execSync(`node ${JSON.stringify(script)} ${name}`, {
Security audit
Security checks across malware telemetry and agentic risk
The skill mostly matches its stated purpose, but one plugin path builds a shell command with an unquoted dynamic persona value, which should be reviewed before installation.
Before installing, review the OpenCode shell-execution path or wait for a fix that uses safe argument handling. If you install anyway, prefer pinned marketplace/release installation, avoid untrusted persona names, and only enable prompt-history/profile features with narrow, explicit approval.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec
return execSync(`node ${JSON.stringify(script)} ${name}`, {