opencode-acp-control

The skill is a usage document for controlling a local OpenCode process via ACP and is plausible and coherent for its intended purpose. However, it contains supply-chain and execution risks: most importantly, it explicitly recommends running an external installer via curl | bash and instructs restarting processes to trigger auto-updates. These patterns allow remote code execution on the host if the remote content is compromised or malicious. There is no evidence in the text of direct credential exfiltration or obfuscated/malicious code embedded in the document itself, but the documented update/install patterns are high-risk. Recommend removing or gating the curl|bash recommendation, requiring integrity checks (signed releases or checksums) for updates, and narrowing process-kill logic to avoid accidental termination of unrelated processes. Overall: not obviously malware, but moderately high supply-chain risk due to download-and-execute guidance.