Is opencode-acp-control safe?

https://clawhub.ai/bjesuiter/opencode-acp-control

52
CAUTION

This skill is a legitimate OpenCode integration that uses the Agent Client Protocol to spawn and control a nested AI agent. While not malicious in intent, it presents significant security concerns: it creates an unmonitored nested agent with filesystem and terminal access, includes a curl-pipe-bash update mechanism that is a classic RCE vector, and enables arbitrary prompt relay that bypasses the host agent's permission system. The nested agent architecture creates an audit blind spot where actions are not subject to the host's safety controls.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (9)

CRITICAL curl-pipe-bash remote code execution in update workflow -35

The update workflow includes a fallback instruction to run 'curl -fsSL https://opencode.dev/install | bash', which downloads and executes arbitrary code from a remote server. If the domain is compromised or DNS-hijacked, this executes attacker-controlled code with the agent's full permissions.

HIGH Nested agent with unrestricted prompt relay -30

The skill creates a persistent background process (OpenCode) and instructs the host agent to relay arbitrary prompts to it via session/prompt. The nested agent operates outside the host's permission system, creating an unmonitored execution channel. Any prompt — including injected content from files or web pages — can be forwarded to the nested agent without sanitization.

HIGH Hardcoded capability grants bypass host permissions -20

The initialize handshake hardcodes clientCapabilities granting the nested agent filesystem read/write and terminal access. These capabilities are declared without user consent and may exceed the permissions the user granted to the host agent.

HIGH Persistent background process with full system access -25

The skill spawns 'opencode acp' as a long-running background process with terminal and filesystem capabilities. This process persists across interactions and is not subject to the host agent's per-action permission checks.

MEDIUM External URL fetching for protocol docs and version checks -10

The skill references external URLs (agentclientprotocol.com/llms.txt, GitHub releases) that the agent is instructed to fetch. If these URLs serve poisoned content in the future, the agent would process attacker-controlled instructions.

MEDIUM Indirect exfiltration via nested agent relay -20

While the skill itself doesn't directly exfiltrate data, the nested OpenCode agent could be instructed (via relayed prompts) to read sensitive files and transmit them through its own network access, bypassing the host agent's monitoring.

MEDIUM Process lifecycle control enables persistent access -15

The skill documents process.list(), process.kill(), and process.write() operations that give comprehensive control over background processes. Combined with the persistent session architecture, this enables maintaining long-lived access to the system.

LOW Platform reads sensitive files during initialization -15

Filesystem monitoring detected reads of .env, .aws/credentials, and .openclaw config files during installation. These appear to be from the host platform's own initialization rather than the skill, but the skill's presence triggered the installation context.

INFO Agent-within-agent architecture creates audit blind spot -10

The fundamental design pattern — a host agent spawning and controlling a nested agent via IPC — creates a layer that is invisible to the host's safety controls. This is not inherently malicious but represents an architectural risk that compounds with other skills or prompt injection attacks.