
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
agents-opencode
Advanced tools
OpenCode Agents: Intelligent AI assistants for software development. Features 9 specialized agents (including legal-advisor for license auditing and compliance), 14 coding standards, automated code review, documentation generation, OpenCode plugin compati
Lean OpenCode agent pack for fast setup, safer skill loading, and production-ready workflows.
Also available for Claude Code — see Installation.
npx.Quick jump: Agents · Skills Matrix · Commands · Full Docs
Requires: Node.js
# Via npx (recommended)
npx agents-opencode --global
# Alternative (direct npm install)
npm install -g agents-opencode && agents-opencode --global
# Project install (current directory only)
npx agents-opencode --project .
# Filter language instruction references for a lighter install
npx agents-opencode --global --languages python,typescript
# Update existing installation
npx agents-opencode --update
# Force update both global + current project scopes
npx agents-opencode --update --all
# Uninstall current project scope (default)
npx agents-opencode --uninstall
# Uninstall global scope only
npx agents-opencode --uninstall --global
# Uninstall both global + current project scopes
npx agents-opencode --uninstall --all
# Check detected installation scopes
npx agents-opencode --status
Install behavior note:
npx/npm installs from the published npm package version (deterministic release artifact).agents-opencodeopencode--languages filters language instruction reference files; runtime skill loading remains on-demand per agent allowlists.Uninstall behavior:
npx agents-opencode --uninstall targets the current project by default.--global or --all for explicit scope control.<project>/.opencode/.backups/<timestamp>--<operation>--<scope>/~/.config/opencode/.backups/<timestamp>--<operation>--<scope>/Restore from backup:
backup-manifest.json for file paths.Update behavior:
npx agents-opencode --update auto-detects and updates installed scopes (global and/or current project).--all, --global, or --project [dir] to force explicit update scope.Configuration behavior:
external_directory, doom_loop) into opencode.json.Then run:
opencode
/init
@orchestrator Build a REST API with JWT auth
npx agents-opencode --global
# Add marketplace (one-time)
/plugin marketplace add shahboura/agents-opencode-claude
# Install
/plugin install agents-opencode@shahboura
# Update
/plugin update agents-opencode@shahboura
Gives Claude Code access to the same 23 on-demand skills. Skills load only when invoked — no context cost until you use them. See adapters/claude-code/ for the plugin manifest and generator script.
| Agent | Best For |
|---|---|
@orchestrator | Multi-phase coordination |
@planner | Read-only architecture/planning |
@codebase | Feature implementation |
@review | Security/performance/code quality |
@docs | Documentation updates |
@em-advisor | EM/leadership guidance |
@blogger | Blog/video/podcast drafting |
@brutal-critic | Final content quality gate |
@legal-advisor | Legal research, jurisdiction-aware compliance, contract review, license auditing, data privacy, IP, export controls |
Canonical source for exact allowlists and skill triggers: Skills Matrix
.opencode/instructions/*.instructions.md as reference material..opencode/skills/<name>/SKILL.md.skill tool.Use permission.skill allowlists in agent frontmatter to prevent unrelated skill loads.
permission:
skill:
"*": "deny"
"python": "allow"
"sql-migrations": "allow"
This keeps skills focused by agent role and reduces accidental context bloat.
Use permission.task allowlists to control which subagents each agent can invoke.
permission:
task:
"*": "deny"
"explore": "allow"
"review": "allow"
Pattern notes:
"*": "deny", then add explicit allows.OpenCode's context caching dramatically reduces token consumption across sessions.
The following metrics are from production usage (May–June 2026) with the
deepseek-v4-pro model.
| Metric | May 2026 | June 2026 | Combined |
|---|---|---|---|
| Cache Hit Tokens | 263.3M | 21.9M | 285.2M |
| Cache Miss Tokens | 7.9M | 1.3M | 9.2M |
| Output Tokens | 0.8M | 0.2M | 1.0M |
| Total Requests | 1,407 | 380 | 1,787 |
| Cache Hit Rate | 97.1% | 94.5% | 96.9% |
| Avg Tokens/Request | 193K | 62K | 165K |
Key takeaway: persistent context reuse keeps ~97% of input tokens in cache, avoiding costly re-processing across agent sessions. Cache-hit tokens cost ~120× less than cache-miss tokens, translating to substantial efficiency gains for long-running multi-agent workflows.
Type /command-name in the TUI to run:
| Command | Description |
|---|---|
/api-docs | Generate API documentation |
/code-review | Comprehensive code review |
/generate-tests | Unit test generation |
/security-audit | Security audit |
/refactor-plan | Refactoring plan |
/create-readme | Generate README |
/architecture-decision | ADR creation |
/architecture-review | Architecture review |
/blog-post | Blog post creation |
/content-review | Content quality scoring |
/plan-project | Multi-phase project planning |
/execution-loop | Bounded iterative execution workflow |
/stop-loop | Stop loop and summarize state |
/checkpoint | Phase-boundary checkpoint for human decision |
/1-on-1-prep | Meeting preparation |
npm run eval:agents runs deterministic contract checks for agent and command metadata.npm run eval:agents:json writes machine-readable output to evals/reports/latest.json.npm run doctor for the complete local validation suite.FAQs
OpenCode Agents: Intelligent AI assistants for software development. Features 9 specialized agents (including legal-advisor for license auditing and compliance), 14 coding standards, automated code review, documentation generation, OpenCode plugin compati
The npm package agents-opencode receives a total of 224 weekly downloads. As such, agents-opencode popularity was classified as not popular.
We found that agents-opencode demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.