OpenCode AI
v1.2.2OpenCode AI - AI-driven code editor/IDE (CLI/TUI version of Cursor/Windsurf). Use when: (1) AI-assisted coding tasks, (2) Code refactoring with AI, (3) GitHu...
⭐ 3· 2k·22 current·22 all-time
byWang Lei@csuwl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The skill claims to wrap the 'opencode' CLI/TUI and the SKILL.md, README, and examples consistently reference the opencode binary and related commands. Requiring the 'opencode' binary (no env vars or unrelated binaries) aligns with the stated editor/IDE purpose.
Instruction Scope
Instructions are focused on invoking the opencode CLI and TUI (run, models, pr, serve, web, attach, etc.). Note: several commands expose data externally (run --share produces shareable links, serve/web/acp start servers, attach <url> connects to remote instances). Those operations can leak code or session contents if used without caution. The docs also recommend changing PATH and using sudo to install the skill into system directories — expected for CLI integration but privileged.
Install Mechanism
No install spec in the skill (instruction-only); installing the underlying opencode binary is delegated to Homebrew (brew install opencode) which is a normal, low-risk distribution path. INSTALL.md recommends copying the skill directory into OpenClaw's skills folder using sudo — a typical but privileged local installation step. There is no arbitrary remote download or archive extraction in the skill itself.
Credentials
The skill declares no required environment variables or credentials. It references provider/auth commands (opencode providers login, auth list) which are operations of the opencode binary itself; this is proportional. Users should be aware that opencode will manage provider credentials (AI provider tokens) independently if used, but the skill does not request unrelated secrets.
Persistence & Privilege
always:false and no special persistent privileges are requested by the skill metadata. However INSTALL.md instructs using sudo to place files under /usr/local and change ownership to root:wheel, which requires admin rights. Combined with server/attach/share features, installing and running opencode/server modes can expose code or open network endpoints — exercise caution and verify binaries before granting these privileges.
Assessment
This skill appears coherent: it simply wraps an external 'opencode' CLI and documents how to use it. Before installing or running it, do the following:
- Verify the opencode binary provenance: prefer 'brew install opencode' or an official release; avoid running untrusted binaries. Check the Homebrew formula or upstream project.
- Because the skill lacks a homepage/source repo in the metadata, treat it as coming from an unknown author — inspect the code/documentation locally and confirm there are no unexpected scripts or network calls in the actual opencode binary.
- Be cautious with server/share features: 'opencode run --share', 'opencode serve', 'web', 'acp', and 'attach <url>' can expose session contents or code to remote endpoints. Do not use them with sensitive code or credentials unless you trust the destination.
- Installing into system locations (sudo cp/chown) modifies system directories and requires admin rights; only do so if you trust the package contents. Consider using a symlink/dev workflow instead of overwriting system files.
- Confirm where opencode stores provider credentials (opencode auth/providers). Ensure secrets are stored as you expect (e.g., OS keyring) and not written to the skill folder you are copying.
If you want higher confidence, obtain the upstream source (homepage or repo), audit the opencode binary or Homebrew formula, and confirm the skill package was published by a known maintainer.Like a lobster shell, security has layers — review code before you run it.
aivk9744ebkn797n4sf65w1asc32h81scryclivk9744ebkn797n4sf65w1asc32h81scrycodingvk9744ebkn797n4sf65w1asc32h81scryeditorvk9744ebkn797n4sf65w1asc32h81scrygithubvk9744ebkn797n4sf65w1asc32h81scrylatestvk97ass702gm1zf2zpmw0rftje584yt43refactoringvk9744ebkn797n4sf65w1asc32h81scryslash-commandsvk9744ebkn797n4sf65w1asc32h81scrytuivk9744ebkn797n4sf65w1asc32h81scry
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis
Binsopencode