Opencode-controller
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only controller for Opencode, with no embedded code or install behavior, but users should verify Opencode, authentication links, session reuse, and delegated code changes.
This skill appears safe to install if you intend to control Opencode. Before use, make sure Opencode itself is trusted, verify any provider login link, approve the session and model choices, and review code changes made through Build mode.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will operate whichever Opencode installation is available in the user's environment.
The skill has no install package or declared binary requirement, while its instructions direct use of Opencode. This is purpose-aligned, but the user should rely only on a trusted local Opencode installation.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Verify that Opencode is installed from a trusted source before using this controller.
Opencode may modify code or project files as part of the approved workflow.
The skill delegates implementation to Opencode Build mode. That is the stated purpose, but it can result in project file changes.
- Ask Opencode to implement the approved plan.
Review the plan before Build mode and inspect resulting diffs or file changes before accepting them.
Using the skill may connect Opencode to a provider account or authentication flow.
The skill involves provider authentication, which is expected for model selection. The artifact requires user confirmation and does not show hardcoded credentials or credential logging.
- Ask the user which AI provider to use. - Ask how the provider should be authenticated. - Do not proceed without confirmation.
Choose the provider intentionally, verify any login link domain, and avoid sharing API keys unless that is the intended authentication method.
Prior Opencode session context can influence future work on the same project.
The skill intentionally uses persistent Opencode sessions. This supports continuity, but retained context may contain sensitive project details or stale decisions.
- Opencode keeps a history of projects - The same project must always use the same session - Reusing sessions preserves context and decisions
Use the correct project session and reset or create a new session with user approval when old context should not carry forward.