Development Coding Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill appears safe to install as an instruction-only helper, provided you trust the OpenCode CLI. Use it only inside the intended Git project, keep prompts specific, monitor any background runs, and review all generated changes before committing or deploying. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong project or with an overly broad prompt, the coding agent could make unintended code changes.
The skill instructs the user to run the OpenCode CLI through a shell command inside a project directory. This is central to the stated coding-agent purpose, but it gives the tool the ability to inspect and change project files.
bash pty:true workdir:~/your-project command:"opencode run 'Add feature or fix bug'"
Run it only in the intended Git repository, use precise prompts, and review diffs/tests before keeping or deploying changes.
A background coding task may continue modifying files until it finishes or is stopped.
The skill documents user-invoked background OpenCode tasks. This is disclosed and purpose-aligned for longer development work, but it means a process may continue operating after the initial command starts.
bash pty:true workdir:~/your-project background:true command:"opencode run 'Build complete feature'"
Monitor background tasks as the skill suggests, check logs regularly, and stop the process if it is working outside the intended scope.
The safety of the workflow depends partly on the OpenCode package installed on the user's machine.
The skill relies on an external OpenCode CLI and gives a global npm install example. This is a normal, user-directed prerequisite, but it means trust shifts to the installed third-party package.
OpenCode CLI installed (`npm install -g opencode`)
Install OpenCode from a trusted source, consider pinning or verifying the package version, and keep it updated.