Opencode Acp Control
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a real OpenCode control guide, but it gives an agent broad ability to start another coding agent with file-write and terminal access, so it needs careful review before use.
Install only if you intend to let Claw control OpenCode. Before using it, verify your OpenCode binary, choose a specific project directory, avoid sending secrets, and require confirmation before any file modification, terminal command, update, or resumed-session use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
OpenCode could be driven to read or modify project files and use terminal capabilities under the user's local account.
The skill instructs the agent to initialize OpenCode with filesystem read/write and terminal capabilities, which can enable high-impact local actions without clear approval boundaries in the provided instructions.
"clientCapabilities":{"fs":{"readTextFile":true,"writeTextFile":true},"terminal":true}Use only in trusted project directories, review prompts before sending them to OpenCode, and require explicit user confirmation for file writes, terminal commands, updates, or other mutating actions.
The skill will run a local OpenCode process in the selected project directory.
The skill relies on starting a local opencode process through a shell command. This is central to the stated purpose, but it is still local command execution.
bash(command: "opencode acp --cwd /path/to/your/project", background: true, workdir: "/path/to/your/project")
Confirm that the opencode binary is the expected trusted installation and run it only from intended project paths.
A background OpenCode process may keep running during the interaction until stopped.
The skill starts OpenCode as a background process, but it also documents how to kill the process and includes a polling timeout.
Start OpenCode | `bash(command: "opencode acp --cwd /path/to/project", background: true)` ... Stop OpenCode | `process.kill(sessionId)`
Track the returned process session ID and stop the OpenCode process when the task is complete.
Prompts and session content sent through this workflow are shared with the local OpenCode process and may influence subsequent OpenCode behavior.
The skill passes prompts and responses between the user's agent and OpenCode over ACP. This is the core integration, but users should treat it as inter-agent data sharing.
Send message | `process.write(sessionId, data: "<json-rpc>\n")` ... Read response | `process.poll(sessionId)`
Avoid sending secrets unless needed, and verify what prompt or context is being passed to OpenCode.
Older session context could affect a new task or expose prior conversation content during a resumed interaction.
The skill supports loading prior OpenCode sessions, which can reuse earlier conversation context. The provided instructions do ask the user to choose the session.
Resume session | List sessions → ask user → `session/load`
Resume only sessions you recognize and start a fresh session when prior context should not be reused.
Users must rely on their own local OpenCode installation and cannot verify it from this skill package alone.
The registry metadata does not declare an install source or required opencode binary even though the skill instructions depend on running opencode.
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill.
Install OpenCode from a trusted source, verify the binary on PATH, and treat the registry metadata/source mismatch as a review item.