ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenCode Discord Thread

v1.0.0

Use this skill when OpenClaw should hand a coding task to OpenCode, keep the OpenCode run model-compatible with Z.AI Coding Plan / GLM plans, and mirror exec...

0· 19·0 current·0 all-time
byR0S@r0s-org
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description say: run OpenCode and mirror progress into Discord. The included script and SKILL.md only reference OpenCode, a repository path, and Discord targets — all coherent with that purpose.
Instruction Scope
SKILL.md and the script confine actions to launching a local 'opencode run --format json', summarizing its JSON events, and posting/ editing messages in a Discord thread. The instructions do not request reading unrelated system files. Note: the SKILL.md explicitly requires DISCORD_BOT_TOKEN and relies on existing OpenCode credentials; this is within scope but should be declared in the skill manifest.
Install Mechanism
There is no install spec; the skill is instruction+script only and claims to be stdlib-only, which reduces install risk. The script uses only Python stdlib, subprocess, and urllib, and invokes the local 'opencode' binary — reasonable for the task.
!
Credentials
The manifest declares no required environment variables or primary credential, but SKILL.md and the script say the bridge reads DISCORD_BOT_TOKEN and expects OpenCode to be authenticated. The missing declaration is an incoherence: DISCORD_BOT_TOKEN is necessary and should be listed as a required credential. No unrelated secrets are requested, but the omission makes the skill's stated requirements unreliable.
Persistence & Privilege
always:false and no install hooks are present. agents/openai.yaml allows implicit invocation (allow_implicit_invocation: true), which is normal for a user-invocable skill but means the agent could call it autonomously — this is expected for skills that perform operations on the user's behalf.
What to consider before installing
This skill appears to do what it says (run OpenCode locally and mirror events into a Discord thread) and the included script is stdlib-only, but the skill manifest omits required environment variables. Before installing: (1) confirm the author/publisher and ask them to declare DISCORD_BOT_TOKEN (and any other required creds) in the manifest; (2) review the script (it runs 'opencode' and posts to Discord) and only provide a Discord bot token with the minimum permissions needed (send messages, create threads) — avoid granting admin or guild-level scopes; (3) ensure OpenCode is installed and authenticated separately (the script invokes the local binary and will use OpenCode’s provider credentials); (4) run the skill in a non-sensitive repository or sandbox initially to validate behavior; and (5) if you rely on implicit invocation, be aware the agent may call this skill automatically when it deems appropriate. If the publisher cannot justify the missing manifest env entries, treat the package as untrustworthy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4e48kgj5xsr46h9r6pv9r584hehq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments