Skillv0.3.0

ClawScan security

Opencode Omo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 8:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a workflow guide for OpenCode and largely matches its stated purpose, but its runtime instructions tell the agent to read a user config file and run local scripts (and to invoke the opencode agent) without safety checks — this could execute arbitrary code, so review before use.
Guidance: This skill reads your OpenCode config and tells you to run local helper scripts and to invoke an OpenCode agent — those actions can execute arbitrary code in your environment. Before using it: 1) verify the opencode and clawhub binaries come from trusted sources and check their documentation; 2) inspect any ./scripts/*.sh helpers and ~/.config/opencode/opencode.json for unexpected behavior (network calls, credentials, destructive file ops); 3) run commands in an isolated environment (container or throwaway VM) first; 4) avoid running in sensitive repositories or on production systems until you're confident of the scripts' behavior. If the author can provide the helper scripts or more detail about what the opencode agent does and what the scripts perform, re-run this evaluation — that information would raise confidence and could change the verdict to benign.

Review Dimensions

Purpose & Capability: okName/description describe an OpenCode orchestration helper; the declared required binaries (opencode, git, clawhub) are coherent with that purpose. It is instruction-only (no code bundled), which matches a documentation/operational guide style.
Instruction Scope: concernThe SKILL.md directs the agent/user to read ~/.config/opencode/opencode.json (a user config path not listed in required config paths) and to run local scripts (./scripts/check-omo.sh, ./scripts/run-ulw.sh) and commands that invoke opencode agents (e.g., opencode run --agent sisyphus...). Running those scripts or agent commands can execute arbitrary code in the current environment; the instructions do not include safety checks, explicit validation steps, or guidance to inspect script contents first. This is scope creep relative to a purely read-only helper and presents an execution risk.
Install Mechanism: okNo install spec is provided; the skill is instruction-only. This is the lowest-risk install mechanism because nothing from the skill is written to disk by default.
Credentials: okThe skill does not request environment variables, credentials, or declared config paths. The only requirements are binaries (opencode, git, clawhub), which are proportionate to the described functionality. However, the instructions still access a user config file (~/.config/opencode/opencode.json) even though it wasn't declared under required config paths.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent platform-level privileges or to modify other skills. (Note: autonomous invocation of skills is the platform default; that by itself is expected.)