Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Opcode
v1.2.2Zero-token execution layer for AI agents. Define workflows once, run them free forever — persistent, scheduled, deterministic. 6 MCP tools over SSE. Supports DAG-based execution, 6 step types (action, condition, loop, parallel, wait, reasoning), 26 built-in actions, ${{}} interpolation, reasoning nodes for human-in-the-loop decisions, and secret vault. Use when defining workflows, running templates, checking status, sending signals, querying workflow history, or visualizing DAGs.
⭐ 0· 1.2k·0 current·0 all-time
by@rendis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md implements a full local workflow runtime (daemon, SSE, secret vault, filesystem and shell actions, HTTP requests) which is coherent with the 'execution layer for AI agents' description. However the registry metadata at the top of the package lists no required env vars, binaries, or install steps while SKILL.md metadata explicitly requires Go 1.25+, CGO_ENABLED=1, gcc/clang and names OPCODE_VAULT_KEY as the primary env — a clear inconsistency between declared requirements and the runtime instructions.
Instruction Scope
The runtime instructions direct the user to install and run a persistent local daemon that listens on TCP (default :4100), writes ~/.opcode (DB, settings, pidfile), downloads an auxiliary tool, and exposes MCP over SSE and an optional web panel. The workflow actions include fs.read/fs.write, shell.exec (arbitrary commands), and http.request. These capabilities are expected for a workflow engine, but they give broad access to files, processes, and network egress; defaults are permissive unless you explicitly configure deny/writable paths and network controls.
Install Mechanism
The skill bundle itself has no install spec in the registry, but SKILL.md instructs users to run `go install github.com/rendis/opcode/cmd/opcode@latest` and the install sequence downloads a helper (mermaid-ascii) into ~/.opcode/bin. Fetching from a GitHub repo via `go install` is traceable and common, but because the repository source is 'unknown' in the registry header and no install metadata was declared, users installing this will pull and build remote code at runtime — review the repository before running the install.
Credentials
Registry metadata listed no required environment variables, but SKILL.md declares OPCODE_VAULT_KEY as primary-env and documents many optional env overrides (OPCODE_DB_PATH, OPCODE_LISTEN_ADDR, OPCODE_PANEL, etc.). The vault key is described as 'root-equivalent' for stored secrets and is used to derive AES-256 keys — granting this to the daemon is high privilege and must be justified and protected. The mismatch between declared and actual env requirements is concerning.
Persistence & Privilege
The skill runs a persistent SSE daemon, creates files under ~/.opcode, a pidfile, and an embedded DB; it does not set always:true in registry (so it's not force-included), which is appropriate. Still, a long-running local process with ability to execute shell commands, read/write files, and make HTTP requests has a significant ongoing attack surface — run under a restricted user, constrain filesystem and network controls, and avoid exposing the panel to untrusted networks.
What to consider before installing
This package implements a full local workflow runtime that can execute shell commands, read/write files, and access the network — that's expected for its purpose but also high-risk if installed blindly. Key points before installing: (1) Registry metadata and the SKILL.md disagree — SKILL.md requires Go/toolchain and the OPCODE_VAULT_KEY secret (which the docs call 'root-equivalent'), so do not trust the registry's 'no env vars' claim. (2) The install instructions run `go install` to fetch/build code from GitHub and the runtime downloads a helper binary into ~/.opcode — inspect the GitHub repository and release history before running that command. (3) Default configuration is permissive (no deny-lists, open network egress); if you proceed, run the daemon under a dedicated low-privilege user, set DenyPaths/WritablePaths, restrict outbound network (proxy/firewall), enable the least-privilege settings, and do not put OPCODE_VAULT_KEY into settings.json. (4) If you cannot audit the upstream repo or do not want a persistent local daemon with a secrets vault, consider running in an isolated VM/container or avoid installing. Additional information that would increase confidence: a verified homepage/repository owner, a release tag/commit to inspect, and registry metadata that matches SKILL.md requirements.Like a lobster shell, security has layers — review code before you run it.
latestvk971w94sse6sbn23yr7hvvq879812pnx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.