Opencode Acp Control
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a transparent OpenCode controller, but it can start a background OpenCode process with project file and terminal access, so users should use it only in trusted workspaces.
Use this skill only if you already trust the local OpenCode CLI. Run it in the specific project you intend to work on, avoid exposing secrets unnecessarily, review prompts before sending them, and make sure the background OpenCode process is stopped when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
OpenCode may be able to work with project files and terminal operations during a session, depending on what the user asks and how the ACP interaction proceeds.
The skill tells the agent to advertise filesystem read/write and terminal capability to OpenCode. This is expected for a coding-agent integration, but it gives the OpenCode session high-impact local capabilities.
"clientCapabilities":{"fs":{"readTextFile":true,"writeTextFile":true},"terminal":true}Use this only with a trusted OpenCode installation and in the intended project directory; consider a sandbox or clean worktree for risky tasks.
An OpenCode process may keep running until it is killed, which could continue consuming resources or holding session state.
The skill starts a background OpenCode process. This is disclosed and paired with a documented stop command, so it is a persistence notice rather than hidden background behavior.
Start OpenCode | `bash(command: "opencode acp", background: true)` ... Stop OpenCode | `process.kill(sessionId)`
Confirm the background process is stopped after use, especially when working on sensitive projects.
Old session history may influence new answers or expose previous project discussion in the resumed context.
Resuming sessions reuses prior OpenCode conversation context. The skill says to ask the user which session to resume, which provides user control, but prior context may contain sensitive data or stale instructions.
Resume a previous OpenCode session by letting the user choose from available sessions.
Resume only sessions you recognize, and start a new session for sensitive or unrelated work.
Users may not realize they need to install and trust the local OpenCode CLI before using this skill.
The workflow relies on an external `opencode` binary, while the registry metadata provided for review lists no required binaries and no install spec. The dependency is visible in the instructions, but not declared in the requirements metadata.
`bash(command: "opencode acp", background: true)`
Verify the installed OpenCode CLI and its source before running the skill; the publisher should declare `opencode` as a required binary.