pantheon-org/opencode-build-plugins
skills/agentic-harness/opencode-toolkit/build-plugins/SKILL.md
Create OpenCode plugins using the opencode-ai/plugin SDK. Use when user wants to build a plugin, extend OpenCode, intercept tool execution, add custom tools, react to events, create a hook, block commands, add custom auth, or add automation to OpenCode. Also use for 'opencode plugin', 'custom tool', 'tool hook', 'plugin hook', 'logging for all tool calls', 'restrict what commands the AI can run', 'lifecycle hooks', 'middleware', 'tool.execute.before', 'tool.execute.after', 'auth hook', 'chat.params', 'intercept bash commands', 'block file writes', 'add audit logging', 'custom model provider auth', 'inject context before LLM call', 'fire-and-forget background task', 'watch session events'.
$ install --global
skillsauthnpx skillsauth add pantheon-org/tekhne opencode-build-pluginsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 10:20 AM125.7s17 files scanned
SKILL.md
- name:
- opencode-build-plugins
- description:
- Create OpenCode plugins using the opencode-ai/plugin SDK. Use when user wants to build a plugin, extend OpenCode, intercept tool execution, add custom tools, react to events, create a hook, block commands, add custom auth, or add automation to OpenCode. Also use for 'opencode plugin', 'custom tool', 'tool hook', 'plugin hook', 'logging for all tool calls', 'restrict what commands the AI can run', 'lifecycle hooks', 'middleware', 'tool.execute.before', 'tool.execute.after', 'auth hook', 'chat.params', 'intercept bash commands', 'block file writes', 'add audit logging', 'custom model provider auth', 'inject context before LLM call', 'fire-and-forget background task', 'watch session events'.
Creating OpenCode Plugins
Quick Start
Plugins live in .opencode/plugins/<name>/index.ts (project) or ~/.config/opencode/plugins/<name>/index.ts (global).
import type { Plugin } from "@opencode-ai/plugin"
export const MyPlugin: Plugin = async ({ project, client, $, directory, worktree }) => {
return {
// Add hooks here — see references/hooks.md for available hooks
}
}
Register in opencode.json:
{ "plugin": ["file:///.opencode/plugins/my-plugin/index.ts"] }
Optional — document plugin purpose in a companion agent file:
---
description: Plugin guard — intercepts tool calls, validates bash commands, blocks dangerous deletions, logs audit trail, hooks session events
---
Then test: opencode run hi
Mindset
Plugins are async factory functions returning hook implementations. They run once on load. Hooks fire at lifecycle points (tool execution, events, config load). Think of them as middleware layers.
Use tool.execute.before to intercept/block, tool.execute.after to log, event: for file edits/session end, auth: for custom model auth, chat.params: to modify LLM params, tool: key to add callable tools.
When to use: Intercept/log tool calls, add custom auth, react to lifecycle events, or extend OpenCode with new callable tools.
When NOT to use: Built-in tool exists (check client.tool.list()). Only need a shortcut (use slash command). Need behavior guidance (use AGENTS.md). Need MCP (use Model Context Protocol).
Verify plugin is loaded: run bun run opencode run "list your tools" and confirm the plugin output appears.
Anti-Patterns
NEVER call client.registerTool() — it does not exist. WHY: The SDK has no such method; calling it throws at runtime.
// BAD - runtime error
client.registerTool("my-tool", { ... })
// GOOD - return the tool from the factory
export const Plugin: Plugin = async ({ client }) => ({
tool: { "my-tool": myTool }
})
NEVER write sync hook handlers. WHY: The plugin loader validates async signatures; a sync handler causes the entire plugin to be rejected at load time with a type error.
// BAD - rejected at load
"tool.execute.before": (input) => { log(input) }
// GOOD - always async
"tool.execute.before": async (input) => { log(input) }
NEVER mutate input.args in tool.execute.before to block a tool — the input is read-only and silently ignored. WHY: Mutations have no effect; to block execution you must throw.
// BAD - silently ignored
"tool.execute.before": async (input) => { input.args.command = "echo safe" }
// GOOD - throw to block
"tool.execute.before": async (input) => {
if (isDangerous(input.args)) throw new Error("Blocked")
}
See references/hook-patterns.md for complete anti-pattern list + full hook/event/tool/UI/testing/publishing reference.
Eval Scenarios
- Scenario 0: Block dangerous bash commands with tool.execute.before
- Scenario 1: Show toast notifications on file edit events
- Scenario 2: Add custom tool to plugin using tool key
Related Skills
pantheon-org/jenkinsfile-generator
tools
VerifiedTrustedCommunity
Generates Jenkinsfiles with stages, agents, parallel builds, post-build actions, and security scanning for Declarative and Scripted pipeline syntaxes. Use when creating a Jenkins pipeline script, Groovy pipeline, or build configuration; implementing CI/CD workflows, continuous integration, or build automation; adding Docker/Kubernetes deployments, matrix builds, parameterized pipelines, or DevSecOps security scanning to a Jenkins setup.
6SKILL.mdUpdated May 16, 2026
pantheon-org/helm-validator
tools
VerifiedTrustedCommunity
Comprehensive toolkit for validating, linting, testing, and analyzing Helm charts and their rendered Kubernetes resources. Use this skill when working with Helm charts, validating templates, debugging chart issues, working with Custom Resource Definitions (CRDs) that require documentation lookup, or checking Helm best practices.
6SKILL.mdUpdated May 16, 2026
pantheon-org/helm-generator
tools
VerifiedTrustedCommunity
Comprehensive toolkit for generating best practice Helm charts and resources following current standards and conventions. Use this skill when creating new Helm charts, implementing Helm templates, scaffolding Chart.yaml and values.yaml, defining deployment templates, service definitions, ingress configurations, .tpl helpers, or building Helm projects from scratch. Trigger phrases include "create", "generate", "build", "scaffold" alongside terms like "kubernetes helm", "k8s charts", "helm package", "chart dependencies", "values.yaml", or "helm install".
6SKILL.mdUpdated May 16, 2026
pantheon-org/gitlab-ci-validator
development
VerifiedTrustedCommunity
Validates .gitlab-ci.yml syntax, detects security misconfigurations in job definitions, checks for deprecated keywords, ensures proper stage ordering, and audits pipeline configurations for best practices. Use when working with .gitlab-ci.yml files, validating GitLab CI/CD pipeline syntax, debugging configuration errors, checking for hardcoded secrets or credentials in pipeline jobs, optimizing pipeline performance with DAG or cache, or performing security audits on GitLab CI/CD configurations.
6SKILL.mdUpdated May 16, 2026