Skillv0.1.1

ClawScan security

Opencode Acp Control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 8:06 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated goal (controlling OpenCode via ACP) but there are inconsistencies and surprising privileges—most notably it assumes and runs an external 'opencode' binary and requests filesystem capabilities without declaring those requirements or proven provenance.
Guidance: Before installing or enabling this skill: - Understand what it actually does: it launches your local 'opencode' CLI and speaks JSON-RPC to it, granting the OpenCode process the ability to read and write files in whatever working directory you provide. - Verify you have a trusted 'opencode' binary: the skill does not declare required binaries or provide an install origin. Confirm the CLI is from the official project (check the GitHub repo linked in SKILL.md) and that you trust that binary. - Prefer using the skill only in safe/test directories (not your entire home or production projects), or restrict the cwd you give it. - Ask the author to update the manifest to declare required binaries (e.g., requires.binaries: ["opencode"]) and to provide provenance/installation instructions; also resolve the metadata inconsistencies (ownerId/version). - If you need stricter safety, decline the skill or run it in an isolated environment (container/VM) so the agent and the opencode process cannot access sensitive files. Given the manifest mismatches and the broad filesystem capability, treat this skill with caution until provenance and declared requirements are clarified.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly aims to control OpenCode via the Agent Client Protocol and will run the 'opencode' CLI (e.g., `opencode acp --cwd ...`). However the registry metadata declares no required binaries or install steps. That mismatch (the skill uses an external binary but doesn't declare it) is incoherent and should be explained by the author.
Instruction Scope: concernRuntime instructions tell the agent to start background processes, write arbitrary JSON-RPC to the process, and poll/kill it. The initialize payload includes clientCapabilities that enable fs readTextFile and writeTextFile — meaning OpenCode (via ACP) can read and write files in whatever working directory you pass. The SKILL.md allows operating on arbitrary project paths chosen at runtime, which is powerful and potentially sensitive. The instructions do not direct data to third-party endpoints, but they do enable broad filesystem access and arbitrary command execution via the local 'opencode' process.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces risk from remote code downloads. However, because the skill relies on an external 'opencode' binary being present and runnable in the agent environment, the lack of declared required binaries or guidance about obtaining a trusted opencode binary is a provenance gap.
Credentials: concernThe skill lists no environment variables or credentials (which is reasonable), but the initialize message requests filesystem read/write capability. That is effectively broad access to the user's workspace even though the manifest declares no special permissions. Also the package metadata shows minor inconsistencies (ownerId/slug/version differ between registry metadata and _meta.json), which reduces confidence in provenance.
Persistence & Privilege: notealways:false (normal). The skill starts background processes (opencode runs in background) and tracks a processSessionId; such background processes may persist for the duration of a session, which is expected for a controller skill. Autonomous invocation is allowed by default (not a separate red flag), but combined with the filesystem capability this increases potential impact if you allow the agent to act without supervision.