Opencode Acp Control
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill coherently controls a local OpenCode ACP process, but users should notice it can start another coding agent with file and terminal capabilities.
Use this only if you trust your local OpenCode installation. Run it in a specific project directory, avoid unnecessary sensitive files, resume only known sessions, and verify the source/version because the package metadata is inconsistent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may start a local background OpenCode process and send prompts to it for work in a project directory.
The skill instructs the agent to launch a local OpenCode process and communicate with it through process I/O. This is central to the stated purpose, but it is still a meaningful local tool capability.
Start OpenCode | `bash(command: "opencode acp --cwd /path/to/project", background: true)` ... Send message | `process.write(sessionId, data: "<json-rpc>\n")` ... Stop OpenCode | `process.kill(sessionId)`
Use it only in the intended project directory, review what you ask OpenCode to do, and stop the process when finished.
OpenCode may receive prompts and project context and may be able to participate in file or terminal operations within the chosen workflow.
The ACP initialization tells OpenCode the client can provide filesystem read/write and terminal capabilities. That is purpose-aligned for a coding agent, but it creates an agent-to-agent boundary where project data and actions may flow through OpenCode.
"clientCapabilities":{"fs":{"readTextFile":true,"writeTextFile":true},"terminal":true}Use a trusted local OpenCode installation, choose a narrow working directory, and avoid sensitive projects unless you are comfortable with OpenCode accessing that context.
Resuming an old session could bring previous conversation context into a new task.
The skill can reuse prior OpenCode sessions. It is disclosed and user-selected, but previous session context may contain sensitive or stale instructions that affect later work.
Resume a previous OpenCode session by letting the user choose from available sessions ... `opencode session list` ... "Which session would you like to resume?"
Resume only sessions you recognize, and start a fresh session for sensitive or unrelated tasks.
The package identity and version information are not fully consistent, so it may be harder to confirm exactly which release or source you are reviewing.
The included metadata differs from the supplied registry listing for this evaluated package, which names slug `opencode-acp-control-3` and version `0.1.1`. Combined with no install spec and source/homepage gaps in the registry metadata, this is a provenance note rather than evidence of malicious behavior.
"slug": "opencode-acp-control-2", "version": "0.1.0"
Verify the intended repository and local `opencode` binary before relying on the skill.