Permissions are broken when installing OpenCode with this plugin.

[cantalupo555]

When you install this plugin, OpenCode no longer respects the settings in opencode.json.
It begins editing and executing commands without our confirmation.

The plugin is instructing the model to use the mcptool CLI via bash to access MCP servers.
Because I have "bash": { "*": "allow" } in my opencode.json, bash commands are being executed automatically, bypassing the specific rules I had in ask or deny.
(This shouldn't happen, since OpenCode allows exception lists even when “*”: “allow” is set)

This created a loophole where the model could execute any MCP tool without confirmation, as OpenCode perceived it as a simple "allowed" bash command.

[Nomadcxx]

Thanks for raising this, I had a look at it today.

I think the confusing bit here is that the mcp bridge currently uses mcptool as a shell-based bridge. That means opencode applies the bash permission rule to mcptool call ..., rather than a separate mcp permission rule.

So with a config like bash: { "*": "allow" }, opencode is basically doing what it was told to do: allow shell commands. The catch is that broad bash access also allows commands that can reach mcp tools through mcptool.

I’ve added a readme note to make this clearer. If you want mcp calls to keep asking for confirmation, the safer config is to keep bash as ask, or add an explicit ask/deny rule for mcptool call *.

I’ll leave this open for now in case there’s a better way to expose mcp tools without relying on the shell bridge.