AI Security Review
scanned 15d ago · by lpm-firewall-aiThe package installs and runs a native CLI binary fetched during postinstall. No confirmed malicious behavior is visible in the JavaScript wrapper, but the install-time executable download lacks an in-package integrity check.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; later invoking ocv runs bin/ocv
Impact
Executes externally downloaded native code under the user's account when the CLI is invoked
Mechanism
postinstall binary downloader and CLI wrapper
Attack narrative
On install, postinstall.cjs detects platform and architecture, downloads an ocv release asset from GitHub, writes it to bin/.ocv or bin/.ocv.exe, and marks it executable. The bin/ocv entrypoint later delegates all CLI arguments to that binary, or to OCV_BIN_PATH if set. This is package-aligned for a native CLI wrapper, but the downloaded executable is not verifiable from the package source alone.
Rationale
Static inspection finds a legitimate-looking native CLI installer with install-time network and binary execution risk, but no source-grounded credential theft, exfiltration, persistence, destructive behavior, or reviewer manipulation. Because the real executable payload is fetched externally without an in-package integrity check, downgrade to warn rather than mark malicious.
Evidence
package.jsonpostinstall.cjsbin/ocvREADME.mdbin/.ocvbin/.ocv.exe
Network endpoints1
github.com/leohenon/opencode-vim/releases/download
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node ./postinstall.cjs
- postinstall.cjs downloads a platform executable from GitHub releases at install time
- postinstall.cjs writes bin/.ocv or bin/.ocv.exe and chmods it executable
- bin/ocv executes the downloaded binary via spawnSync
- OCV_RELEASE_BASE_URL and OCV_BIN_PATH environment variables can redirect download or execution
Evidence against
- No credential, npm token, SSH key, or broad file harvesting found
- No exfiltration endpoint beyond package-aligned GitHub release download
- No persistence, destructive filesystem behavior, or AI-agent control-surface writes found
- README describes this as an ocv OpenCode fork CLI package
- Network activity is limited to installing the CLI binary
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.cjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings