fix: add security warning for untrusted skill content#19195
Open
sumleo wants to merge 1 commit intoanomalyco:devfrom
Open
fix: add security warning for untrusted skill content#19195sumleo wants to merge 1 commit intoanomalyco:devfrom
sumleo wants to merge 1 commit intoanomalyco:devfrom
Conversation
Closes anomalyco#18781 Skills loaded from repositories may contain malicious instructions that trick the agent into writing to package manager configs, adding rogue registry URLs, or modifying system-wide settings. This is a supply-chain poisoning vector. Add a two-layer defense: - System prompt: append a <skill_security_policy> block to the skills section listing prohibited actions (registry hijacking, config writes, RCE patterns) - Skill tool output: wrap each loaded skill in a <skill_security_warning> reminding the agent that the content is untrusted before it processes the skill body
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Closes #19123
Type of change
What does this PR do?
Adds a security warning block in the system prompt to mark repository-provided skill content as untrusted. This prevents supply chain attacks where a malicious repo includes poisoned skill files (
.opencode/agents/*/SKILL.md) that instruct the model to modify package manager configs, add attacker-controlled registries, or write hardcoded credentials.The fix adds 7 specific rules to the system prompt that prevent the model from blindly executing code found in repository-provided skill files. It works by teaching the model to recognize and refuse common supply chain poisoning patterns (pip registry hijacking, npm auth token injection, curl-pipe-bash hooks, etc.) before they can be executed.
The approach is prompt-level — no changes to the agent runtime or execution engine. The model internalizes the security policy and self-refuses when it encounters attack patterns in skill content.
How did you verify your code works?
Tested against 31 poisoned skill files in isolated Docker containers. Before the fix, multiple skills achieved full code execution (L3 breach). After the fix, all were refused (L1). Verified that legitimate skill instructions (coding conventions, project setup) continue to work normally.
Checklist