registry  /  @leohenon/ocv  /  1.17.18-ocv.4.7

@leohenon/ocv@1.17.18-ocv.4.7

ocv (OpenCode fork with vim keybindings).

AI Security Review

scanned 7d ago · by lpm-firewall-ai

The package has a conventional native-binary installer surface but no confirmed malicious behavior. Install downloads a versioned platform binary into the package bin directory; runtime CLI delegates to that binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user invoking ocv runs bin/ocv.
Impact
Installs and later executes a package-owned binary; no exfiltration, persistence, destructive behavior, or foreign control-surface mutation found in source.
Mechanism
platform-specific GitHub release binary download and CLI wrapper execution
Rationale
Static source inspection shows a package-aligned postinstall binary downloader and wrapper, not credential theft, remote code execution beyond its advertised binary install, or AI-agent hijacking. The scanner signals are explained by the lifecycle installer and environment override variables used for this CLI package.
Evidence
package.jsonpostinstall.cjsbin/ocvREADME.mdbin/.ocvbin/.ocv.exe
Network endpoints1
github.com/leohenon/opencode-vim/releases/download

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node ./postinstall.cjs.
  • postinstall.cjs downloads a platform binary and writes bin/.ocv or bin/.ocv.exe with mode 0755.
  • bin/ocv executes the downloaded binary or user-provided OCV_BIN_PATH via spawnSync.
Evidence against
  • Download URL is package-aligned: github.com/leohenon/opencode-vim/releases/download/v<version>/<asset>.
  • No credential/env harvesting beyond npm_package_version, OCV_RELEASE_BASE_URL, OCV_BIN_PATH.
  • No broad file traversal, persistence, destructive commands, obfuscation, or AI-agent control-surface writes found.
  • Network access is limited to fetching versioned release assets during install.
  • README describes expected purpose: ocv OpenCode fork with vim keybindings.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.59 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings