alt Hacker NewsI am more concerned about their, umm, gallant approach to security. Not only that OpenCode is permissive by default in what it is allowed to do, but that it apparently tries to pull its config from the web (provider-based URL) by default [1]. There is also this open GitHub issue [2], which I find quite concerning (worst case, it's an RCE vulnerability).
Replies
ct520 • today at 1:30 AM
I second that.
Have fun on windows - automatic no from me. https://github.com/anomalyco/opencode/issues?q=is%3Aissue%20...
➕ show 1 reply
woctordho • today at 1:02 AM
RCE is exactly the feature of coding agents. I'm happy with it that I don't need to launch OpenCode with --dangerously-skip every time.
TZubiri • today at 2:35 AM
I assign a specific user for it, which doesn't have much access to my files. So what I want is complete autonomy.
iam_circuit • today at 3:09 AM
[dead]
It also sends all of your prompts to Grok's free tier by default, and the free tier trains on your submitted information, X AI can do whatever they want with that, including building ad profiles, etc.
You need to set an explicit "small model" in OpenCode to disable that.