opencode-acp-control
Fail
Audited by Snyk on Feb 16, 2026
Risk Level: HIGH
Full Analysis
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for high-entropy, literal credentials that would grant access.
Findings:
- The three long session IDs shown in the "List Available Sessions" example (ses_451cd8ae0ffegNQsh59nuM3VVy, ses_451a89e63ffea2TQIpnDGtJBkS, ses_4518e90d0ffeJIpOFI3t3Jd23Q) are random/long enough to meet the high-entropy criterion and are used as session identifiers in calls to session/load. Because session IDs can grant access to conversation history when passed to session/load, these should be considered possible secrets if they were real values rather than examples.
What I ignored and why:
- sess_abc123 and sess_xyz789 — low-entropy, clearly example/placeholders.
- bg_42 and processSessionId examples — simple, non-sensitive identifiers or examples.
- Other strings (client names, version numbers, commands, URLs, and brief tokens like "clawdbot") are documentation/example data and do not meet the high-entropy secret definition.
- No API keys, private keys (PEM blocks), JWTs, or other obvious credential formats were present.
Conclusion: there are long, random-looking session IDs present that could be usable credentials; everything else is a placeholder or non-secret.
Audit Metadata