
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
agents-opencode
Advanced tools
OpenCode Agents: Intelligent AI assistants for software development. Features 9 specialized agents (including legal-advisor for license auditing and compliance), 14 coding standards, automated code review, documentation generation, OpenCode plugin compati
Lean OpenCode agent pack for fast setup, safer skill loading, and production-ready workflows.
npx.Quick jump: Agents · Skills Matrix · Commands · Full Docs
Requires: Node.js
# Via npx (recommended)
npx agents-opencode --global
# Alternative (direct npm install)
npm install -g agents-opencode && agents-opencode --global
# Project install (current directory only)
npx agents-opencode --project .
# Filter language instruction references for a lighter install
npx agents-opencode --global --languages python,typescript
# Update existing installation
npx agents-opencode --update
# Force update both global + current project scopes
npx agents-opencode --update --all
# Uninstall current project scope (default)
npx agents-opencode --uninstall
# Uninstall global scope only
npx agents-opencode --uninstall --global
# Uninstall both global + current project scopes
npx agents-opencode --uninstall --all
# Check detected installation scopes
npx agents-opencode --status
Install behavior note:
npx/npm installs from the published npm package version (deterministic release artifact).agents-opencodeopencode--languages filters language instruction reference files; runtime skill loading remains on-demand per agent allowlists.Uninstall behavior:
npx agents-opencode --uninstall targets the current project by default.--global or --all for explicit scope control.<project>/.opencode/.backups/<timestamp>--<operation>--<scope>/~/.config/opencode/.backups/<timestamp>--<operation>--<scope>/Restore from backup:
backup-manifest.json for file paths.Update behavior:
npx agents-opencode --update auto-detects and updates installed scopes (global and/or current project).--all, --global, or --project [dir] to force explicit update scope.Configuration behavior:
external_directory, doom_loop) into opencode.json.Then run:
opencode
/init
@orchestrator Build a REST API with JWT auth
npx agents-opencode --global
Add to your opencode.json:
{ "plugin": ["agents-opencode"] }
Then restart OpenCode or run /reload-plugins.
| Agent | Best For |
|---|---|
@orchestrator | Multi-phase coordination |
@planner | Read-only architecture/planning |
@codebase | Feature implementation |
@review | Security/performance/code quality |
@docs | Documentation updates |
@em-advisor | EM/leadership guidance |
@blogger | Blog/video/podcast drafting |
@brutal-critic | Final content quality gate |
@legal-advisor | License auditing, IP review, data privacy assessment, regulatory guidance |
Canonical source for exact allowlists and skill triggers: Skills Matrix
.opencode/instructions/*.instructions.md as reference material..opencode/skills/<name>/SKILL.md.skill tool.Use permission.skill allowlists in agent frontmatter to prevent unrelated skill loads.
permission:
skill:
"*": "deny"
"python": "allow"
"sql-migrations": "allow"
This keeps skills focused by agent role and reduces accidental context bloat.
Use permission.task allowlists to control which subagents each agent can invoke.
permission:
task:
"*": "deny"
"explore": "allow"
"review": "allow"
Pattern notes:
"*": "deny", then add explicit allows.Type /command-name in the TUI to run:
| Command | Description |
|---|---|
/api-docs | Generate API documentation |
/code-review | Comprehensive code review |
/generate-tests | Unit test generation |
/security-audit | Security audit |
/refactor-plan | Refactoring plan |
/create-readme | Generate README |
/architecture-decision | ADR creation |
/architecture-review | Architecture review |
/blog-post | Blog post creation |
/content-review | Content quality scoring |
/plan-project | Multi-phase project planning |
/execution-loop | Bounded iterative execution workflow |
/stop-loop | Stop loop and summarize state |
/1-on-1-prep | Meeting preparation |
npm run eval:agents runs deterministic contract checks for agent and command metadata.npm run eval:agents:json writes machine-readable output to evals/reports/latest.json.npm run doctor for the complete local validation suite.FAQs
OpenCode Agents: Intelligent AI assistants for software development. Features 9 specialized agents (including legal-advisor for license auditing and compliance), 14 coding standards, automated code review, documentation generation, OpenCode plugin compati
The npm package agents-opencode receives a total of 224 weekly downloads. As such, agents-opencode popularity was classified as not popular.
We found that agents-opencode demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.