creating-opencode-plugins

Facilitates the creation of OpenCode plugins with structured event handling and JavaScript/TypeScript implementation patterns.

Install this skill

or

40/100

Security score

The creating-opencode-plugins skill was audited on Mar 4, 2026 and we found 16 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 114

Template literal with variable interpolation in command context

SourceSKILL.md

114	console.warn(`⚠️ Sensitive file edited: ${path}`);

medium line 128

Template literal with variable interpolation in command context

SourceSKILL.md

128	console.error(`🚫 Blocked ${action} operation on sensitive file: ${target}`);

medium line 160

Template literal with variable interpolation in command context

SourceSKILL.md

160	console.log(`▶️ Executing: ${command} ${args.join(' ')}`);

medium line 169

Template literal with variable interpolation in command context

SourceSKILL.md

169	await $`osascript -e 'display notification "Completed in ${duration}ms" with title "${tool}"'`;

medium line 172

Template literal with variable interpolation in command context

SourceSKILL.md

172	console.log(`✅ ${tool} completed in ${duration}ms`);

medium line 201

Template literal with variable interpolation in command context

SourceSKILL.md

201	const result = await $`eslint ${fix ? '--fix' : ''} .`;

medium line 213

Template literal with variable interpolation in command context

SourceSKILL.md

213	console.log(`🔧 Tool: ${event.data.tool}`);

medium line 343

Template literal with variable interpolation in command context

SourceSKILL.md

343	console.log(`Tool completed: ${result.tool}`);

medium line 224

Access to hidden dotfiles in home directory

SourceSKILL.md

224	\| Global \| `~/.config/opencode/plugin/` \| All projects \| Security policies, global utilities \|

medium line 15

Access to .env file

SourceSKILL.md

15	- Intercepting file operations (prevent sharing .env files)

low line 74

Access to .env file

SourceSKILL.md

74	"description": "Prevents sharing .env files",

low line 97

Access to .env file

SourceSKILL.md

97

/\.env$/,

low line 98

Access to .env file

SourceSKILL.md

98	/\.env\..+$/,

low line 303

Access to .env file

SourceSKILL.md

303	data: { path: '.env', content: 'SECRET=123', timestamp: Date.now() }

medium line 310

Access to .env file

SourceSKILL.md

310	Security: Prevent accidental sharing of credentials (env-protection plugin blocks .env file reads)

low line 385

External URL reference

SourceSKILL.md

385	Documentation: https://opencode.ai/docs/plugins/

Scanned on Mar 4, 2026

View Security Dashboard

Install this skill with one command

/learn @pr-pm/creating-opencode-plugins

GitHub Stars 95

Rate this skill

Categorydevelopment

UpdatedMarch 29, 2026

openclaw api backend backend-developer devops-sre product-manager openai development product