ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

easy-opencode

v1.1.1

opencode can do all the things related to code

2· 734·4 current·4 all-time
by@deciding
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim 'code-related' operations and the only required binary is 'opencode', which is exactly the tool the instructions tell the agent to invoke. There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
SKILL.md instructs the agent to run the opencode CLI inside a repository directory and to follow a Plan→Build loop. It does not instruct the agent to read unrelated system files, environment variables, or to send data to arbitrary endpoints. The scope is narrowly focused on using the opencode CLI for repository coding tasks.
Install Mechanism
No install spec is provided (instruction-only). Nothing is downloaded or written by the skill itself, so there is no install-related risk from the skill bundle.
Credentials
No environment variables, credentials, or config paths are requested. The absence of additional secrets is proportionate to the stated purpose. Note: the opencode binary itself (outside this skill) may request credentials or network access at runtime — that's external to the skill.
Persistence & Privilege
The skill does not request always:true or any elevated/persistent presence, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not unusual here.
Assessment
This skill is internally consistent, but it relies on a local 'opencode' CLI — before installing or using the skill verify the origin and integrity of that binary (where it was installed from, its version, and its documentation). Specifically: 1) confirm the opencode binary is from a trusted vendor (check checksums/signatures or package manager provenance); 2) review what opencode does at runtime (network access, telemetry, credentials it may prompt for) because the skill will run it against your repository; 3) consider running it in an isolated environment (container/VM) or on non-sensitive repos first. If you cannot verify the opencode binary, treat the skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💯🚀🎯 Clawdis
Binsopencode
latestvk9707w0t6dtq0230znwa3anqch81qetc
734downloads
2stars
3versions
Updated 9h ago
v1.1.1
MIT-0
@deciding
latest
Download

Opencode

Core rule

For any problem related to coding of a repository, please use opencode directly, the major burden of question-answering and coding should be given to opencode which is very capable to do it well. Your job to pass the question to opencode, digest the result from opencode and select what to do next (plan or build) based on the result from opencode. All planning and coding happens inside Opencode.

Usages

  • Available agents:
    • plan
    • build
  • Always select Plan first.
  • plan agent: run with cd [repo dir] && opencode run "[instructions/questions]" --continue --agent plan
  • build agent: run with cd [repo dir] && opencode run "[instructions/questions]" --continue --agent build

Plan agent behavior

  • Ask Opencode to analyze the task.
  • Request a clear step-by-step plan.
  • Allow Opencode to ask clarification questions.
  • Review the plan carefully.
  • If the plan is incorrect or incomplete:
    • Ask Opencode to revise it.
  • Do not allow code generation in Plan.

Build agent behavior

  • Ask Opencode to implement the approved plan.
  • If Opencode asks any question:
    • Immediately switch back to Plan.
    • Answer and confirm the plan.
    • Switch back to Build.

Completion

  • Repeat the Plan → Build loop until all user requirements are satisfied.
  • Never skip Plan.
  • Never answer questions in Build.

Comments

Loading comments...