Skillv1.0.0

ClawScan security

OpenCode Remote · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 5:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match its stated purpose (remote OpenCode session management) but contain several inconsistencies and surprising choices (hard-coded root config path, implicit persistent monitoring via cron, a default SOCKS5 proxy) that warrant caution before installing or running.
Guidance: This skill appears to implement what it claims (remote OpenCode session management) but has surprising behaviors you should consider before using it: - File path mismatch: SKILL.md says to record sessions to 'opencode-sessions.md' but the provided main_session_manager.py writes JSON to /root/.openclaw/workspace/opencode-sessions.json. That will fail unless run as root or the directory exists; change the path to a safe, user-writable location if you plan to run it. - Persistent monitoring: The skill instructs creating cron jobs and includes a long-running monitor script. If you enable this, the agent (or your machine) will poll the remote server every 5 minutes and store/report session data. Confirm you want that continuous network activity and what data will be reported. - Default proxy: monitor_session.py uses a default SOCKS5 proxy (socks5://127.0.0.1:1080) that is not documented in SKILL.md. If you don't intend to route traffic through a local proxy, remove or override this default; otherwise traffic will attempt to use that proxy which may silently fail or leak to unintended routes if you have one configured. - Remote shell and file APIs: The referenced API exposes endpoints for executing shell commands, reading files, PTY creation, etc. Those are powerful and can read or modify remote host files — ensure you trust the OpenCode server and that you intend to use those capabilities. Recommendations before installing or running: 1. Inspect and (preferably) modify the code: change the session storage path to a non-root location, remove or make explicit the default SOCKS proxy, and verify cron commands are appropriate for your environment. 2. Run scripts in an isolated environment (container or non-privileged account) to avoid accidental writes to /root or persistent daemons running under your account. 3. Decide explicitly whether you want periodic monitoring; if not, do not add the cron job and run monitoring only when asked. 4. Review the server endpoints you will query (esp. shell/file endpoints) to avoid unintended remote commands or data exposure. 5. If anything is unclear, ask the skill author to justify the /root path and the proxy default and to provide an option to store state in the current working directory. Because of the mismatches and persistence instructions, treat this skill as 'suspicious' until you confirm or remediate the noted issues.

Review Dimensions

Purpose & Capability: noteFunctionality (listing sessions, sending messages, monitoring, creating sessions, executing shell via API) aligns with the described OpenCode remote management purpose. However, the SKILL.md says session records should be stored in an 'opencode-sessions.md' (project-relative) while main_session_manager.py writes to /root/.openclaw/workspace/opencode-sessions.json — an unexplained mismatch that implies the code expects to write into root's home rather than a local workspace.
Instruction Scope: concernSKILL.md instructs automatic, recurring monitoring (every 5 minutes) after any message send and suggests creating cron jobs; monitor_session.py implements long-running polling. The instructions also require echoing full prompts/assistant outputs back to the user (which could reveal sensitive session content). The docs encourage running commands like POST /session/{id}/shell and adding cron entries — these expand scope into persistent background network activity and remote command execution, which are legitimate for this tool but significant and not explicitly surfaced as persistent behavior to end users.
Install Mechanism: okNo install spec is provided (instruction-only), and included scripts are plain Python — nothing is downloaded or extracted at install time. This is lower install-mechanism risk.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent with the code that takes explicit base_url and optional proxy parameters. However, monitor_session.py uses a hard-coded default proxy 'socks5://127.0.0.1:1080' (not documented in SKILL.md), and main_session_manager.py writes to a privileged-looking path (/root/.openclaw/workspace/opencode-sessions.json) despite SKILL.md suggesting recording to a repo-relative markdown file. These are disproportionate surprises: they imply network routing via a local SOCKS proxy and writing to /root without declaring that requirement.
Persistence & Privilege: concernThe skill strongly encourages (and documents) creating scheduled monitoring tasks (cron every 5 minutes) and provides a long-running monitor script. While 'always' is false, the instructions explicitly direct the user to establish persistent monitoring behavior and file storage — this gives the skill ongoing network activity and disk writes if the user follows them. Also, the code writes session state to /root, which requires elevated filesystem privileges.