Back to plugin

Security audit

OpenCode Chat Bot

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote OpenCode chat bot with powerful coding and scheduling features, so it appears purpose-aligned but should only be installed by users who understand the account and local-code access it grants.

Install this only if you want chat-based control over local OpenCode projects. Configure DingTalk/Feishu/OpenClaw access narrowly, set allowed users, protect the .env secrets, avoid auto-confirm for risky prompts, and review any scheduled tasks.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/dingtalk/client.js:71
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/runtime/bootstrap.js:181
Evidence
OPENCODE_SERVER_PASSWORD: [REDACTED],