Security Audit

opencode-controller

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

opencode-controller received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Agent instructed to follow unvalidated input from external tool.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Agent instructed to follow unvalidated input from external tool The skill instructs the agent (Clawdbot) to process and act upon outputs from 'Opencode', including 'clarification questions' (line 40), 'plan revisions' (line 49), and 'any question' (line 57). Specifically, the agent is told to 'Immediately switch back to Plan' and 'Answer and confirm the plan' based on Opencode's questions. There are no explicit instructions for the agent to validate or sanitize Opencode's output for malicious instructions or prompt injection attempts. This creates a vulnerability where a compromised or malicious Opencode instance could inject commands or manipulate the agent's behavior, potentially leading to unauthorized actions, data exfiltration, or circumvention of safety guidelines (e.g., 'Do not allow code generation in Plan'). Implement robust input validation and sanitization for all outputs received from Opencode. The agent should be explicitly instructed to identify and reject any output from Opencode that attempts to override its core instructions, change its operational parameters outside of defined boundaries, or solicit sensitive information. Consider using a separate, sandboxed LLM or a rule-based system for interpreting Opencode's output before feeding it to the main agent's decision-making process.	LLM	SKILL.md:57

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a2bb58d99cbdc9de.svg)](https://skillshield.io/report/a2bb58d99cbdc9de)