[FEATURE]: Allow skills and commands to define scoped permission overrides #7407
Description
Feature hasn't been suggested before.
- I have verified this feature I'm about to request hasn't been suggested before.
Describe the enhancement you want to request
Problem:
When creating skills or commands that need specific tool permissions (e.g., a /commit command that needs git commit and git add), there's no way to scope those permissions to the skill/command invocation. Users must either:
- Globally allow those commands (reducing safety)
- Keep them as
askand manually approve every time the skill/command runs
Proposed solution:
Allow skills and commands to define permission overrides in their frontmatter that apply only during their execution:
For skills (SKILL.md):
---
name: git-commit
description: Commit workflow with conventional commits
permission:
bash:
"git add *": allow
"git commit *": allow
---For commands (.opencode/command/commit.md):
---
description: Run commit workflow
permission:
bash:
"git add *": allow
"git commit *": allow
---Behavior:
- Permission overrides apply only while the skill is loaded or command is executing
- Overrides merge with (and take precedence over) global/agent permissions for the duration
- After skill/command completes, permissions revert to normal
- Optional: require user confirmation when a skill/command requests elevated permissions (similar to
askbut at skill-load time rather than per-command)
Benefits:
- Enables safe, targeted permission elevation for specific workflows
- Reduces friction for trusted operations without globally loosening security
- Aligns with principle of least privilege
Use cases:
- Git commit workflows that need
git add/git commit - Release scripts that need
gh release create - Build commands that need specific npm/cargo/make invocations
Metadata
Metadata
Assignees
Labels
No labels