registry  /  swe-pro-agents  /  1.0.0

swe-pro-agents@1.0.0

49 specialized OpenCode subagent profiles — SWE roles, research, architecture, and code analysis agents

AI Security Review

scanned 7h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package installs OpenCode agent profile files into a package-owned config directory at npm postinstall time. This is agent extension setup, but inspection did not show automatic activation, config hijacking, exfiltration, or remote payload execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install lifecycle postinstall; npm uninstall lifecycle preuninstall; explicit swe-pro-agents CLI commands
Impact
Adds local agent profiles that may later be enabled by user configuration; no confirmed malicious execution path found
Mechanism
copies bundled AI-agent markdown profiles into ~/.config/opencode/agents/swe-pro-agents
Rationale
This is a guarded AI-agent extension lifecycle risk because install-time code writes package-owned agent profiles into a foreign tool's config tree, but activation remains manual and no concrete malicious chain was found. Warn rather than block under the install control-surface policy.
Evidence
package.jsonscripts/install.jsscripts/uninstall.jsbin/swe-pro-agents.jsREADME.mdagents/swe-pro.mdagents/architect.mdagents/*.md~/.config/opencode/agents/swe-pro-agents

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/install.js and preuninstall: node scripts/uninstall.js
  • scripts/install.js copies agents/ into ~/.config/opencode/agents/swe-pro-agents during install
  • agent markdown files are AI-agent control profiles with tool permissions such as edit/webfetch/websearch/bash ask/allow
  • scripts/uninstall.js removes ~/.config/opencode/agents/swe-pro-agents on uninstall
Evidence against
  • Install script writes only under package-owned opencode agents subdirectory, not opencode.json or AGENTS.md
  • CLI setup prints configuration snippets but does not mutate opencode.json or AGENTS.md
  • bin/swe-pro-agents.js status only reads opencode.json to check whether package path is referenced
  • No child_process, eval, dynamic remote loading, credential harvesting, or exfiltration endpoints found
  • README documents the same install location and manual user configuration step
Behavioral surface
Source
DynamicRequireFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 6.21 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/swe-pro-agents.jsView file
12L13: const fs = require('fs'); L14: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/swe-pro-agents.jsView on unpkg · L12
scripts/install.jsView file
6Install-time AI-agent control hijack evidence: L6: * Runs automatically after `npm install -g swe-pro-agents`. L7: * User still needs to add the path to their opencode.json or AGENTS.md once. L8: */ ... L22: function copyRecursive(src, dest) { L23: fs.mkdirSync(dest, { recursive: true }); L24: ... L34: } else { L35: fs.copyFileSync(srcPath, destPath); L36: count++; ... L55: console.log(); L56: console.log(` Next step: add this path to your opencode.json or AGENTS.md:`); L57: console.log(` { "agents": [{ "path": "${TARGET_DIR.replace(/\\/g, '\\\\')}" }] }`); Payload evidence from bin/swe-pro-agents.js: L17: const PACKAGE_NAME = 'swe-pro-agents'; L18: const AGENTS_DIR = path.join(__dirname, '..', 'agents'); L19: const TARGET_DIR = path.join(os.homedir(), '.config', 'opencode', 'agents', PACKAGE_NAME); L20: L21: const pkg = require(path.join(__dirname, '..', 'package.json')); L22: ... L60: const raw = fs.readFileSync(opencodeConfigPath, 'utf-8').replace(/^\uFEFF/, ''); L61: const config = JSON.parse(raw); L62: const agents = config.agents || [];
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L6

Findings

1 Critical1 High3 Medium4 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/swe-pro-agents.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings