v0.1.1

Opencode Acp Control

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:31 AM.

Analysis

The skill appears purpose-aligned, but it gives an agent direct control over OpenCode with file-write, terminal, background-session, and prior-session access that should be reviewed before installation.

GuidanceInstall this only if you intentionally want your agent to control OpenCode in local projects. Verify the opencode CLI source, keep the cwd limited to the intended project, review prompts and resulting file or terminal actions, and stop background sessions when finished.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

"clientCapabilities":{"fs":{"readTextFile":true,"writeTextFile":true},"terminal":true}

The initialization tells the agent to advertise file read/write and terminal capabilities to OpenCode, creating broad local mutation authority without an explicit user-approval boundary in the workflow.

User impactIf used in a project, OpenCode may be able to read or change files and perform terminal-backed work through the agent, so mistakes or unsafe prompts could affect the local environment.

RecommendationUse only with trusted projects and a trusted OpenCode installation; require explicit user confirmation for file writes and terminal actions, and limit the cwd to the intended project.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

bash(command: "opencode acp --cwd /path/to/your/project", background: true, workdir: "/path/to/your/project")

The skill instructs the agent to launch a local CLI process. This is expected for controlling OpenCode, but it is still local command execution.

User impactInstalling the skill makes it easier for the agent to start OpenCode processes on the user's machine.

RecommendationConfirm the opencode binary is installed from a trusted source and run it only in intended project directories.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Start OpenCode | `bash(command: "opencode acp --cwd /path/to/project", background: true)` ... Stop OpenCode | `process.kill(sessionId)`

The skill starts a background OpenCode process and documents how to stop it; this is purpose-aligned but creates a process that can continue until killed.

User impactA background OpenCode session may keep running during the task if it is not explicitly stopped.

RecommendationEnsure the process is killed when the task is complete and avoid leaving unattended sessions active.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none; Required binaries (all must exist): none

The registry metadata does not provide a source/homepage or declare the external opencode binary dependency, even though the skill workflow relies on that CLI.

User impactUsers have less registry-level assurance about provenance and must separately verify the OpenCode binary and the referenced project.

RecommendationVerify the GitHub repository and OpenCode installation independently before relying on this skill.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Resume a previous OpenCode session by letting the user choose from available sessions.

The skill can list and resume previous OpenCode conversations, meaning prior session context may influence future behavior.

User impactOld session content could include stale instructions, sensitive project context, or untrusted text that affects a resumed conversation.

RecommendationResume only sessions you recognize and treat previous conversation content as untrusted unless you have reviewed it.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

Send message | `process.write(sessionId, data: "<json-rpc>\n")`

The skill establishes a JSON-RPC channel between the agent and OpenCode; this is central to ACP use but means prompts and project context can flow through another agent process.

User impactInformation sent in prompts or gathered from the project may be handled by OpenCode and whatever configuration OpenCode uses.

RecommendationUse a trusted OpenCode setup and avoid sending secrets or private project data unless you intend OpenCode to process them.