OpenCode ACP Control v2
Security checks across malware telemetry and agentic risk
Overview
The skill largely matches its OpenCode-control purpose, but it includes broad cleanup and raw execution workflows that could affect other OpenClaw sessions or run outside the intended scope.
Before installing, make sure you trust OpenCode with the selected project directory. Review or disable the wildcard lock-cleanup commands, avoid enabling GitHub/Supabase MCP unless needed, and inspect generated exec/process.write steps before running them.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
This could disrupt other active or recoverable OpenClaw sessions by removing their coordination lock files, causing tasks to interfere with each other or resume incorrectly.
The cleanup targets lock files across OpenClaw agent/session directories, not only the current OpenCode process. Some cleanup is run in preflight, and the broader wildcard cleanup is documented for stuck-session recovery.
find ~/.openclaw/agents -name '*.lock' -mmin +30 -delete ... rm -f ~/.openclaw/agents/*/sessions/*.lock
Limit cleanup to the current session's known lock file, keep the age filter for stale locks, and require confirmation before deleting wildcard paths under ~/.openclaw/agents.
A project path or prompt containing quotes, newlines, or shell metacharacters could break the generated workflow or change what command/JSON-RPC message is sent.
The generated workflow interpolates user-provided project and prompt values into executable commands and JSON-RPC payloads without visible shell or JSON escaping.
exec(command: "opencode acp --cwd $project", background: true, workdir: "$project") ... "text":"${prompt}"Quote shell arguments safely, JSON-escape all prompt/path/MCP values, validate that the project path is intended, and show the final command before execution.
OpenCode may read, modify, or run commands in the selected project while completing prompts.
The skill explicitly delegates filesystem read/write and terminal capability to OpenCode over ACP. This is expected for the purpose, but it is sensitive inter-agent authority.
"clientCapabilities":{"fs":{"readTextFile":true,"writeTextFile":true},"terminal":true}Use the skill only with trusted projects, review changes before keeping them, and avoid granting access to directories containing unrelated private data.
If enabled, OpenCode may act through configured Supabase or GitHub integrations, potentially affecting external projects or data.
The skill can enable Supabase or GitHub MCP servers, which may use existing account credentials or delegated permissions, although no primary credential is declared.
"mcpServers": { "default": [], "supabase": ["supabase"], "github": ["github"], "full": ["supabase", "github"] }Only enable MCP servers intentionally, use least-privilege tokens/accounts, and confirm any database or repository-changing action before allowing it.
Users may not realize which local tools must be installed or trusted before the skill works.
The helper script relies on local jq and opencode binaries, while the registry metadata declares no required binaries and the source/homepage fields are not populated.
TIMEOUT_INIT=$(jq -r '.timeouts.initialize // 10000' "$CONFIG_FILE") ... if ! command -v opencode &> /dev/null
Declare opencode and jq as required binaries, align registry/source metadata with the included files, and document trusted installation sources.