Description
I've created an "offline" agent to limit the risk of leaking sensitive data via prompt inject when working on untrusted data.
"agent": {
"offline": {
"permission": {
"bash": {
"*": "ask",
},
"edit": "ask",
"webfetch": "deny",
},
"tools": {
"context7_*": false,
"gh_grep_*": false,
"kagi_*": false,
"webfetch": false,
},
},
},But the agent can easily circumvent the tools limitations by delegating the task to a sub-agent. And it does not even ask for permission to run the tool. This can be solved by disabling the task tool. But it would be better if by default tasks were using the same agent with the same permissions/tools.
PS: it seems to work fine for native tools like webfetch (not sure about this, sometimes it hangs sometimes it rightfully fails).
OpenCode version
1.0.15
Steps to reproduce
- Create an agent "offline" with
webfetch and mcp with online access disabled (ex: kagi)
- Using the "offline" ask it to search online for whatever information
- It will delegate a task and use mcp tool like kagi
Screenshot and/or share link
No response
Operating System
macOS 26.0.1
Terminal
Ghostty
Description
I've created an "offline" agent to limit the risk of leaking sensitive data via prompt inject when working on untrusted data.
But the agent can easily circumvent the tools limitations by delegating the task to a sub-agent. And it does not even ask for permission to run the tool. This can be solved by disabling the
tasktool. But it would be better if by default tasks were using the same agent with the same permissions/tools.PS: it seems to work fine for native tools like
webfetch(not sure about this, sometimes it hangs sometimes it rightfully fails).OpenCode version
1.0.15
Steps to reproduce
webfetchand mcp with online access disabled (ex: kagi)Screenshot and/or share link
No response
Operating System
macOS 26.0.1
Terminal
Ghostty