ClawHub
Back to skill

Security audit

Opencode Guide

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent OpenCode callback purpose, but it needs review because it installs executable helper scripts, sends task callbacks, stores task results, and includes a broad shell-command wrapper.

Install only if you are comfortable with helper scripts being placed in ~/.openclaw/scripts and with task metadata/results being stored locally and sent via OpenClaw callbacks. Replace any example session key with the current intended session, avoid putting secrets in task prompts, prefer opencode-auto-callback.sh over the bash-c wrapper, and periodically review or clean ~/.openclaw/task-results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill frames itself as a passive 'messenger/coordinator' while explicitly instructing the agent to create task files, launch background scripts, monitor logs, and trigger callback notifications. This mismatch can mislead reviewers and users about the actual execution authority of the skill, increasing the chance that high-impact actions are delegated without appropriate scrutiny or consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The package presents itself as a usage guide, but its install lifecycle script writes files into the user's home directory under ~/.openclaw/scripts. Installation-time side effects outside the package directory are risky because they execute implicitly during install, are not clearly disclosed in this file, and can alter agent behavior or persistence on the host.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The metadata describes the package as a guide, but the package scripts actively deploy executable workflow files into a user-controlled runtime directory. That mismatch increases supply-chain risk because users may treat the package as documentation while npm lifecycle hooks perform operational changes that can influence future agent executions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automatic start/completion notifications and result-summary extraction but does not warn users that task metadata, summaries, or possibly sensitive content may be transmitted to another system. In an agent skill context, silent callback behavior increases the risk of unintended data disclosure, especially when tasks may involve source code, secrets, or private business context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The package silently copies and deletes files in ~/.openclaw/scripts while suppressing errors with redirection and '|| true', reducing user visibility and auditability. Silent home-directory modification is dangerous because it can hide failed or partial installs, overwrite trusted local automation, and make unauthorized persistence harder to notice.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to send automatic start/finish notifications and to store task outputs, logs, and JSON results under predictable local paths, but it does not mention that task descriptions, model outputs, error messages, or other sensitive content may be exposed through callback messages or persisted on disk. In an agent workflow, these artifacts can contain secrets, internal prompts, user data, or operational metadata, so omitting any warning or guidance materially increases the risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script executes user-controlled shell text via `bash -c "$OPENCODE_CMD --format json 2>&1"`, which allows arbitrary shell command injection because the entire command string is interpreted by the shell. In this skill context, the wrapper is explicitly designed to run agent-supplied tasks, so any untrusted input reaching `OPENCODE_CMD` can execute arbitrary commands with the privileges of the script user and access local files or secrets.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal