ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

easy-opencode

v1.1.1

opencode can do all the things related to code

2· 719·4 current·4 all-time
by@deciding
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim 'code-related' operations and the only required binary is 'opencode', which is exactly the tool the instructions tell the agent to invoke. There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
SKILL.md instructs the agent to run the opencode CLI inside a repository directory and to follow a Plan→Build loop. It does not instruct the agent to read unrelated system files, environment variables, or to send data to arbitrary endpoints. The scope is narrowly focused on using the opencode CLI for repository coding tasks.
Install Mechanism
No install spec is provided (instruction-only). Nothing is downloaded or written by the skill itself, so there is no install-related risk from the skill bundle.
Credentials
No environment variables, credentials, or config paths are requested. The absence of additional secrets is proportionate to the stated purpose. Note: the opencode binary itself (outside this skill) may request credentials or network access at runtime — that's external to the skill.
Persistence & Privilege
The skill does not request always:true or any elevated/persistent presence, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not unusual here.
Assessment
This skill is internally consistent, but it relies on a local 'opencode' CLI — before installing or using the skill verify the origin and integrity of that binary (where it was installed from, its version, and its documentation). Specifically: 1) confirm the opencode binary is from a trusted vendor (check checksums/signatures or package manager provenance); 2) review what opencode does at runtime (network access, telemetry, credentials it may prompt for) because the skill will run it against your repository; 3) consider running it in an isolated environment (container/VM) or on non-sensitive repos first. If you cannot verify the opencode binary, treat the skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707w0t6dtq0230znwa3anqch81qetc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💯🚀🎯 Clawdis
Binsopencode

Comments