opencode
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a disclosed opencode automation helper, but it asks for broad shell/server access and local configuration inspection without clear safeguards for credentials or access control.
Install only if you want a broad local automation helper. Before use, verify the opencode CLI source, keep servers bound to localhost with a password, avoid exposing port 4096, do not display config or environment files containing API keys, and review any sudo, delete, archive extraction, or file-copy commands before allowing the agent to run them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the opencode server is reachable without authentication, another local or network user/process could potentially interact with it or influence coding actions.
The documentation demonstrates starting an opencode server and shows an unsecured-server warning, while other server examples do not require a password. A coding/server interface can have high-impact file or command authority if exposed.
opencode web --port 4096 --hostname 127.0.0.1 [93m[1m! OPENCODE_SERVER_PASSWORD is not set; server is unsecured. ... opencode serve --port 4096
Bind servers to 127.0.0.1, set an explicit server password or access control, avoid mDNS/firewall exposure unless necessary, and stop the service after use.
API keys or account configuration could be copied into the agent context, logs, reports, or generated outputs if these files are displayed unredacted.
The skill tells the agent/user to inspect local opencode configuration and environment paths. Such files may contain provider settings, API keys, or account configuration, but the metadata declares no credentials/config paths and the instructions do not require redaction.
# 主配置文件 ~/.config/opencode/config.json # 环境变量文件 ~/.config/opencode/environment ... # 查看当前配置 cat ~/.config/opencode/config.json
Do not read opencode config or environment files unless necessary; redact tokens and API keys first, and the skill should explicitly declare and scope any credential/config access.
Users may install or run a different package/version than expected if they do not verify the opencode source.
The helper script points users to a global npm install for the external opencode CLI, while the skill has no install spec or pinned dependency information.
print_info "安装方法:npm install -g opencode"
Install opencode only from its verified official source, pin trusted versions where possible, and avoid running unverified global npm packages.
Imported sessions could bring untrusted instructions into a new task, and exported sessions could disclose sensitive project or conversation content.
The skill documents exporting and importing opencode sessions, including from a URL. Sessions can contain prior prompts, outputs, secrets, or instructions that may influence later tasks.
opencode export <session_id> ... opencode import https://opncd.ai/s/abc123 ... opencode import --continue session.json
Review and redact sessions before export/import, and only continue sessions from trusted files or URLs.
Long-running monitors or servers can consume resources or keep local interfaces available until manually stopped.
The included helper has a deliberate infinite monitoring loop, and the skill also documents server modes. This is disclosed and user-invoked, but it can keep processes running beyond the immediate task.
monitor_opencode() {
...
while true; do
...
sleep 5
done
}Run these modes only when needed, track their process IDs, and stop them after the task is complete.