ClawHub

Opencode Cli

v1.1.0

OpenCode CLI integration skill. Designed for AI agents like OpenClaw to execute coding tasks via OpenCode CLI. Core features: (1) Plan→Build workflow (2) Ses...

1· 31·0 current·0 all-time
byTaoyi CHEN@tchen6500
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (OpenCode CLI integration, Plan→Build, MCP, background monitoring) match the SKILL.md content. Optional env vars (CONTEXT7_API_KEY, SUPABASE_URL, SUPABASE_ANON_KEY) correspond to the documented MCP integrations.
Instruction Scope
Runtime instructions are limited to invoking the opencode CLI, managing sessions, using OpenClaw process actions (poll/log/kill), and configuring MCPs in project/global config files. The skill does not instruct reading unrelated system credentials or exfiltrating data. It does mandate active polling/monitoring for background tasks, which is operationally prescriptive but expected for the described behavior.
Install Mechanism
The skill itself has no install spec or code files (lowest install risk). However the MCP guides recommend global npm installs (npm install -g) or using npx; the guide correctly calls out npx as medium risk. Users should verify any third-party MCP package before global installation.
Credentials
No required environment variables are declared; the optional vars listed are directly tied to supported MCPs (Supabase, Context7). The skill does not request unrelated secrets or broad system credentials.
Persistence & Privilege
always is false and the skill is user-invocable. The SKILL.md states it does not persist beyond user sessions. Nothing in the files requests permanent or cross-skill configuration changes.
Assessment
This is an instruction-only OpenCode CLI integration and appears coherent, but take these precautions before using it: (1) Only run in repositories/environments you trust — the skill may trigger MCP servers that have access to project files and databases. (2) If you follow the MCP guidance, verify any npm packages before installing globally (npm install -g) or prefer vetted/global installs over npx to reduce remote-code risk. (3) Provide SUPABASE/CONTEXT7 credentials only when needed and avoid committing them to version control; the skill marks them optional. (4) Background tasks require active polling/monitoring via the agent’s process tool — expect ongoing process activity and logs. (5) One minor inconsistency to double-check: the Context7 guide points to an Upstash link for obtaining an API key — confirm the correct credential provider for your Context7 setup. If you want extra assurance, ask the author for the canonical MCP package names and their official upstream URLs before installing any MCP servers.

Like a lobster shell, security has layers — review code before you run it.

latestvk974zj5reyzgee0m0v9ccrxsrd848mbw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments