fix: add security warning for untrusted skill content#18784
Closed
sumleo wants to merge 1 commit intoanomalyco:devfrom
Closed
fix: add security warning for untrusted skill content#18784sumleo wants to merge 1 commit intoanomalyco:devfrom
sumleo wants to merge 1 commit intoanomalyco:devfrom
Conversation
Closes anomalyco#18781 Skills loaded from repositories may contain malicious instructions that trick the agent into writing to package manager configs, adding rogue registry URLs, or modifying system-wide settings. This is a supply-chain poisoning vector. Add a two-layer defense: - System prompt: append a <skill_security_policy> block to the skills section listing prohibited actions (registry hijacking, config writes, RCE patterns) - Skill tool output: wrap each loaded skill in a <skill_security_warning> reminding the agent that the content is untrusted before it processes the skill body
Contributor
|
Thanks for your contribution! This PR doesn't have a linked issue. All PRs must reference an existing issue. Please:
See CONTRIBUTING.md for details. |
github-actions
Bot
added
needs:compliance
Contributor
|
This PR doesn't fully meet our contributing guidelines and PR template. What needs to be fixed:
Please edit this PR description to address the above within 2 hours, or it will be automatically closed. If you believe this was flagged incorrectly, please let a maintainer know. |
Contributor
|
This pull request has been automatically closed because it was not updated to meet our contributing guidelines within the 2-hour window. Feel free to open a new pull request that follows our guidelines. |
github-actions
Bot
removed
the
needs:compliance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #19123
Summary
Problem
OpenCode loads skill content (
.opencode/agents/*/SKILL.md) directly into the LLM context without any sanitization or trust boundary. A malicious repository can include poisoned skill files that instruct the model to perform supply chain attacks (registry poisoning, credential exfiltration, curl-pipe-bash hooks).Changes
Added security warning in the system prompt that explicitly marks all repository-provided content as untrusted and defines guardrails against common supply chain attack patterns.
Test plan