ClawHub
Back to skill

Security audit

opencode

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real opencode automation helper, but it needs review because it gives broad file, command, server, cleanup, and admin-style guidance without enough safeguards.

Install only if you want a broad local automation helper and are prepared to supervise commands. Keep it inside a known workspace, do not print config or environment files without redacting secrets, bind servers to localhost with authentication where available, and manually approve any sudo, firewall, chmod/chown, kill, archive extraction, copy, or rm -rf command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The README exposes system-administration actions that go beyond ordinary opencode automation, including killing processes, changing file ownership and permissions, and altering firewall settings. In an agent skill context, documenting these commands without strict scoping or approval guidance increases the chance an agent or user will perform impactful host-level changes unrelated to the requested task.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The guide presents commands for attaching to a remote server, including a private LAN IP, while elsewhere stating the tool should not be used in production. That mixed guidance can normalize exposing a development-oriented service over the network, increasing the chance of unauthorized access if readers follow it without compensating controls.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The troubleshooting section tells users how to open TCP/4096 in the firewall even though the document later says not to use opencode in production. Providing operational steps to expose the service makes accidental network exposure more likely, especially when earlier examples also show unsecured startup behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script is framed as opencode automation, but it also includes broad file-management capabilities such as copying, archiving, extracting, backing up, and deleting local data. In an agent skill context, this expands the operational scope well beyond the stated purpose and increases the risk of unintended file access, exfiltration, or destructive actions if invoked with attacker-controlled paths.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The preview function launches a generic Python HTTP server for an arbitrary directory supplied by the caller. Even though the default bind behavior is local unless changed by Python version/configuration, exposing arbitrary project contents over HTTP is risky in an automation skill because it can unintentionally leak sensitive files or make local content accessible to other users on the network.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The cleanup routine performs recursive forced deletion of cache and temporary paths as part of normal script functionality. In a skill/agent setting, destructive deletion commands are dangerous because they can erase data without review, and wildcard/path expansion mistakes can broaden the deletion scope unexpectedly.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger conditions are overly broad, such as invoking on general requests to create websites, analyze projects, or run tasks. In an agent environment this can cause accidental activation on normal user requests, expanding the skill's authority and increasing the chance that risky commands from the skill are used unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section includes state-changing file and archive operations like cp, tar extraction, and zip creation but provides no warning about overwriting files, consuming disk space, or modifying project contents. In a skill README, omission of risk guidance makes it more likely these commands will be used unsafely by an agent or operator.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to view configuration and environment files that commonly contain tokens, API keys, secrets, or internal endpoints, but it does not warn about sensitive data exposure. In an agent setting, encouraging direct display of these files can lead to unintended secret disclosure in logs, chat transcripts, or reports.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quick-start section shows starting the web server and even displays output stating that OPENCODE_SERVER_PASSWORD is not set and the server is unsecured, but it does not immediately tell the reader to stop and configure authentication first. This is dangerous because users may copy-paste the command as-is and expose an unauthenticated control surface.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document includes recursive force-deletion commands for /tmp and the opencode cache without nearby warnings about irreversibility or the risk of deleting unintended data. In a copy-paste oriented reference guide, destructive shell snippets can easily cause data loss or service disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly advertises file-management capabilities including creating, copying, moving, and deleting files, but it does not warn users about destructive operations, accidental overwrites, or irreversible data loss. In an automation-oriented skill, omission of such safeguards can lead to unintended deletion or modification of important files when users issue broad or ambiguous instructions.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation provides commands to start local services and attach to endpoints, but it does not clearly explain network exposure, binding behavior, or privacy implications of serving project contents over HTTP. Although examples use localhost/127.0.0.1 in places, users could still expose sensitive files or services by changing host/port settings or misunderstanding accessibility.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script deletes cache and temporary files immediately, with no confirmation, preview, or warning about what will be removed. This creates a straightforward risk of accidental data loss, especially when the script may be triggered non-interactively or by an agent on behalf of a user.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo ufw status

# 允许 opencode 通过防火墙
sudo ufw allow 4096/tcp

# 检查路由
ping 127.0.0.1
Confidence
95% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
ls -la /path/to/file

# 修改文件权限
chmod 755 /path/to/directory
chmod 644 /path/to/file

# 修改文件所有者
Confidence
90% confidence
Finding
chmod 755

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 修改文件权限
chmod 755 /path/to/directory
chmod 644 /path/to/file

# 修改文件所有者
sudo chown -R $USER:$USER /path/to/directory
Confidence
90% confidence
Finding
chmod 644

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal