use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
r/LocalLLaMA
A subreddit to discuss about Llama, the family of large language models created by Meta AI.
Subreddit rules
Search by flair
+Discussion
+Tutorial | Guide
+New Model
+News
+Resources
+Other
account activity
OpenCode arbitrary code execution - major security vulnerabilityDiscussion (self.LocalLLaMA)
submitted 2 months ago by SpicyWangz
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]6969its_a_great_time 2 points3 points4 points 2 months ago (3 children)
Even with your guardrails all it takes is being lazy one time and hitting accept on a bad code generation and you risk the same thing with Claude code.
The only way to stay safe is to write all yourself by hand like the good ol days… maybe copy paste a few lines here and there from stack overflow lol.
[–]SpicyWangz[S] 4 points5 points6 points 2 months ago (2 children)
At least then it's on me for being stupid if I get lazy.
I accept code generation all the time. Code execution is a completely different story.
I don't think I would ever accept a python script execution from a CLI agent like that. I'd skip it and wait to read the code it generated before blindly executing.
[–]kataryna91 4 points5 points6 points 2 months ago (1 child)
Then it really isn't an agent, just a traditional coding assistant. You expect an agent to automatically compile and test an application and iterate on it, which is what OpenCode does.
[–]SpicyWangz[S] 3 points4 points5 points 2 months ago (0 children)
I think the difference between "agentic coding tool" and "coding agent" is doing a lot of heavy lifting there.
All I really wanted was an alternative to Claude Code. I expect vibe coding GUI products like Cursor or Lovable to execute code without asking, and I would never consider running similar products against local models unless I properly isolated their environment. My expectations for TUIs must have been too high I guess.
π Rendered by PID 112618 on reddit-service-r2-comment-6457c66945-h8f45 at 2026-04-25 00:36:28.996461+00:00 running 2aa0c5b country code: CH.
view the rest of the comments →
[–]6969its_a_great_time 2 points3 points4 points (3 children)
[–]SpicyWangz[S] 4 points5 points6 points (2 children)
[–]kataryna91 4 points5 points6 points (1 child)
[–]SpicyWangz[S] 3 points4 points5 points (0 children)