registry  /  swe-pro-agents  /  1.2.0

swe-pro-agents@1.2.0

49 specialized OpenCode subagent profiles + 7 delivery pipeline skills — SWE roles, research, architecture, and code analysis agents

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates OpenCode's AI-agent control surface during npm postinstall. Agents are copied to a package-named directory, but skills are installed into the shared global skills directory using generic names.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install lifecycle postinstall
Impact
Can add or overwrite OpenCode skills that may affect future agent behavior without an explicit user command; uninstall does not remove those skills.
Mechanism
unconsented AI-agent/skill control-surface file copy
Policy narrative
On installation, npm runs scripts/install.js automatically. That script recursively copies package prompts into OpenCode's home configuration, including generic skill directories under ~/.config/opencode/skills/. These files can shape later AI-agent behavior and may replace existing same-named skills. No exfiltration or destructive payload was found, but the install-time mutation of a broad AI-agent control surface is enough to block under policy.
Rationale
Source inspection confirms automatic postinstall writes to OpenCode agent/skill locations, including broad unprefixed skill names, without a separate user setup command. The content is mostly benign and package-aligned, but the lifecycle mutation itself crosses the firewall block boundary for AI-agent control surfaces. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/install.jsscripts/uninstall.jsbin/swe-pro-agents.jsskills/reviewer/SKILL.mdskills/testing/SKILL.mdskills/planner/SKILL.mdskills/repository/SKILL.md~/.config/opencode/agents/swe-pro-agents/~/.config/opencode/skills/~/.config/opencode/opencode.json

Decision evidence

public snapshot
AI called this Malicious at 82.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/install.js.
  • scripts/install.js automatically copies agents to ~/.config/opencode/agents/swe-pro-agents/.
  • scripts/install.js automatically copies unprefixed skills into shared ~/.config/opencode/skills/.
  • Skill names like reviewer, testing, planner, repository are generic and may overwrite/control broad OpenCode behavior.
  • preuninstall removes only ~/.config/opencode/agents/swe-pro-agents, leaving copied skills behind.
Evidence against
  • No package code found for credential harvesting, exfiltration, eval/vm, child_process, or runtime network calls.
  • CLI only prints setup/status/version/help and reads opencode.json for status.
  • Agent/skill prompts appear package-aligned software-engineering roles, not covert data theft instructions.
Behavioral surface
Source
DynamicRequireFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 8.12 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/swe-pro-agents.jsView file
12L13: const fs = require('fs'); L14: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/swe-pro-agents.jsView on unpkg · L12
scripts/install.jsView file
5Install-time AI-agent control hijack evidence: L7: * Runs automatically after `npm install -g swe-pro-agents`. L8: * User still needs to add the agent path to their opencode.json or AGENTS.md once. L9: * Skills are auto-discovered by OpenCode once placed in ~/.config/opencode/skills/. ... L24: function copyRecursive(src, dest) { L25: fs.mkdirSync(dest, { recursive: true }); L26: ... L36: } else { L37: fs.copyFileSync(srcPath, destPath); L38: count++; ... L85: // Next steps L86: console.log(` Next step: add the agent path to your opencode.json or AGENTS.md:`); L87: console.log(` { "agents": [{ "path": "${AGENTS_DIR.replace(/\\/g, '\\\\')}" }] }`); Payload evidence from skills/reviewer/SKILL.md: L5: compatibility: opencode L6: metadata: L7: stage: "5-reviewer"
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.jsView on unpkg · L5

Findings

1 Critical1 High3 Medium4 Low
CriticalAi Agent Control Hijackscripts/install.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/swe-pro-agents.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings