ClawHub

opencode-acp

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it delegates coding tasks to a local OpenCode agent, but that agent can modify files and run commands in the chosen project.

Install only if you trust the `opencode` binary and are comfortable letting it read, edit, and run commands in the project you select. Avoid using it on repositories with sensitive secrets unless isolated, and clear `.acp_sessions/` when persisted conversations should not remain on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the external tool to execute `openclaw system event --text ... --mode now`, which is outside the core ACP collaboration scope and causes an additional side effect in the host environment. This expands the trust boundary from code-editing into system-level signaling, and because the message content is dynamically composed from task output, it could be abused for misleading notifications, hidden workflow triggering, or policy bypass in environments that react to such events.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
During initialization, the client advertises `terminal: True`, granting the ACP server the ability to execute terminal commands in the target project context. That is substantially more powerful than simple code editing and means a compromised, malicious, or prompt-manipulated server could run arbitrary commands, access secrets, or alter the environment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code stores full conversation history, including user and assistant content, to local JSON files without any user-facing warning or consent flow. In a code-assistant context, prompts and responses may include credentials, proprietary code, file paths, or other sensitive data, so silent persistence increases the chance of unintended data exposure on shared systems or backups.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal