ClawHub

OpenCode HTTP API

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its OpenCode API purpose, but it wraps a powerful local automation server and gives users under-scoped examples that could expose code-execution capability beyond localhost.

Review before installing. Use it only if you intend OpenClaw to drive OpenCode through a local API. Keep the server bound to 127.0.0.1 unless you have strong authentication, firewalling, and a trusted network. Disable auto-start if you do not want the skill launching OpenCode, and avoid sending secrets or sensitive diffs to sessions that may call external model providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
startupinfo = subprocess.STARTUPINFO()
            startupinfo.dwFlags |= subprocess.STARTF_USESHOWWINDOW
            startupinfo.wShowWindow = subprocess.SW_HIDE
            subprocess.Popen(
                ["cmd", "/c", "start", "OpenCode Server",
                 "opencode", "serve", "--port", str(port), "--hostname", host],
                startupinfo=startupinfo,
Confidence
89% confidence
Finding
subprocess.Popen( ["cmd", "/c", "start", "OpenCode Server", "opencode", "serve", "--port", str(port), "--hostname", host], startupinfo=star

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This skill is presented as an HTTP API wrapper, but it also starts a local server process when the endpoint is unavailable. That hidden capability materially changes the trust boundary: an importing agent may believe it is making network calls only, while the wrapper can initiate local execution, which is more dangerous in an agentic environment with broad filesystem and process access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly shows binding the server to 0.0.0.0 and enabling mDNS discovery, which increases exposure from localhost-only access to the local network or beyond, yet it provides no adjacent warning about access control, firewalling, or when such exposure is appropriate. In the context of a skill that exposes powerful code-execution and session APIs, this can lead users to unintentionally publish sensitive functionality to other hosts on the network.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The authentication section shows optional Basic Auth environment variables but does not warn that the server may otherwise be reachable without authentication or that credentials supplied via environment variables may be exposed through shell history, process inspection, logs, or weak operational practices. Given this server exposes broad automation and code-oriented APIs, weak or absent authentication meaningfully raises the risk of unauthorized use.

Ssd 3

Medium
Confidence
95% confidence
Finding
Untrusted diff content is interpolated directly into the LLM prompt without isolation, allowing prompt injection embedded in code comments, docs, or diffs to steer the model away from the intended review task. In this skill context, the model is being used for code review, so adversarial PR content can manipulate the review, suppress findings, or attempt to elicit session or surrounding prompt context from the OpenCode system.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal