Oathe Security Badge

Is extensions/opencode-pi safe?

https://github.com/luongnv89/pi-extensions/tree/main/extensions/opencode-pi

88
SAFE

This is a legitimate Pi Coding Agent extension that provides a bridge to OpenCode CLI models. The extension implements proper security controls by denying OpenCode access to various tools and follows good practices with cleanup and error handling.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

MEDIUM External Binary Execution -20

The extension spawns the OpenCode CLI binary for its core functionality. While this is the documented purpose, it creates a dependency on an external executable that could pose risks if compromised.

LOW Environment Variable Dependency -5

The extension uses OPENCODE_PI_BIN and OPENCODE_PI_MODELS environment variables to configure behavior, which could be manipulated by attackers with environment access.

INFO No SKILL.md File 0

This is a Pi extension rather than a Claude skill, so the absence of SKILL.md is expected and not a security concern.