ClawHub

Opencode Acp Control

v1.0.2

Control OpenCode directly via the Agent Client Protocol (ACP). Start sessions, send prompts, resume conversations, and manage OpenCode updates.

9· 4.2k·24 current·25 all-time
by@bjesuiter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md expects the agent to run the 'opencode' CLI (e.g., `opencode acp`, `opencode session list`) and to use process/bash helpers (process.write, process.poll, process.kill). However the skill metadata declares no required binaries or credentials. The omission of the 'opencode' CLI (and the implicit requirement for the agent's process/bash capabilities) is an inconsistency: a user installing this should expect the skill to require the opencode binary and the ability to spawn background processes.
Instruction Scope
Runtime instructions tell the agent to start an OpenCode process in a specified workdir, send JSON-RPC messages, poll for responses, and restart/kill processes. This stays within the stated purpose (managing OpenCode sessions) but it does involve running shell commands and operating in user-specified project directories, which means the skill — via OpenCode — can interact with project files (the initialize message declares fs read/write capabilities). The instructions do not explicitly ask the agent to read unrelated system files or environment variables.
Install Mechanism
This is an instruction-only skill with no install spec or downloaded code, which is lower risk. Nothing will be written to disk by the skill package itself. The primary risk comes from the runtime commands the instructions ask the agent to run.
Credentials
The manifest does not request environment variables or credentials, and the instructions do not reference secrets or unrelated credentials. That is proportionate. Note: the skill implicitly needs access to the user's filesystem via the OpenCode instance (cwd/workdir), but that is consistent with a code-workflow tool.
Persistence & Privilege
The skill does not set always:true and is user-invocable. disable-model-invocation is false (default autonomous invocation allowed), which is normal for skills; no excessive persistence or cross-skill configuration changes are requested.
What to consider before installing
This skill appears to do what it says (control OpenCode via ACP) but the manifest omitted a key runtime requirement: the 'opencode' CLI and the agent's ability to spawn background processes. Before installing, verify you trust the opencode binary you will run and the skill's author/repo (the SKILL.md links to a GitHub repo). Be aware this skill will run shell commands in your project directories and interact with files through OpenCode — avoid using it in environments with sensitive secrets or untrusted code. Ask the skill author to update the manifest to declare the required 'opencode' binary and any other runtime capabilities, and consider running it first in an isolated/test workspace.

Like a lobster shell, security has layers — review code before you run it.

latestvk9773wys6t0fkjvs1hhejt2mws7z0m79

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments