registry  /  @overdeck/core  /  0.42.0

@overdeck/core@0.42.0

Multi-agent orchestration for AI coding assistants (Claude Code, Codex, Cursor, Gemini CLI)

AI Security Review

scanned 7d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The confirmed lifecycle behavior is a guarded refresh of Overdeck hook executables into its own ~/.overdeck/bin directory. Broader AI tool control-surface writes exist, but appear tied to explicit pan sync/init/workspace commands rather than npm install.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall after Overdeck was previously initialized; broader writes require user-invoked CLI commands
Impact
Installs or refreshes local agent hooks that can interact with Overdeck's local dashboard and provider APIs during later agent use; no unconsented foreign-agent install-time hijack confirmed.
Mechanism
first-party agent extension hook refresh and user-invoked AI tool sync
Policy narrative
On install, the package runs a postinstall script that, only when ~/.overdeck already exists, copies bundled hook executables into ~/.overdeck/bin. Those hooks are part of an AI-agent orchestration product and later can call local Overdeck dashboard endpoints or provider APIs. The package also contains CLI sync code that can write Claude/Codex/Cursor-style control files, but inspection ties that to explicit pan commands/config rather than the npm lifecycle.
Rationale
This is a real agent-extension lifecycle risk because install refreshes executable hooks for an AI-agent platform, but the lifecycle write is guarded and confined to the package-owned Overdeck namespace. I did not find install-time mutation of foreign/broad AI-agent control surfaces, credential exfiltration to package-controlled endpoints, or remote code execution sufficient for a malicious verdict.
Evidence
package.jsonscripts/postinstall.mjssync-sources/hooks/statusline.shsync-sources/hooks/pan-hook-lib.shdist/sync-BGK4YcE7.jsdist/paths-3R6b989k.js~/.overdeck/bin/*~/.claude/skills~/.claude/commands~/.claude/CLAUDE.md~/.claude/mcp.json.cursor/rules/<skill>.mdcAGENTS.md
Network endpoints4
localhost:3011127.0.0.1:3011api.anthropic.com/api/oauth/usageapi.github.com

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/postinstall.mjs || true
  • scripts/postinstall.mjs copies executable hook files from sync-sources/hooks to ~/.overdeck/bin when ~/.overdeck exists
  • Copied hooks include agent-facing scripts that call local dashboard APIs and may read Claude credentials for usage display
  • dist/sync-BGK4YcE7.js user-invoked sync can write ~/.claude/skills, ~/.claude/commands, ~/.claude/CLAUDE.md, and ~/.claude/mcp.json
Evidence against
  • No postinstall path found that writes ~/.claude, ~/.codex, ~/.cursor, or project AGENTS.md
  • postinstall is guarded by existing ~/.overdeck and writes only the package-owned ~/.overdeck/bin namespace
  • Network calls inspected are local dashboard APIs, GitHub/Anthropic/OpenAI/Linear provider APIs, or user-invoked remote-agent flows
  • scripts/sqlite.mjs dynamic require only loads node:sqlite; no remote code loading found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 996 file(s), 28.1 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.cloudflare.com, api.github.com, api.hume.ai, api.kimi.com, api.linear.app, api.machines.dev, api.minimax.io, api.moonshot.ai, api.openai.com, api.vercel.com, api.voyageai.com, api.x.ai, api.z.ai, app.excalidraw.com, chevrotain.io, dashscope-intl.aliyuncs.com, developer.mozilla.org, discord.gg, docs.anthropic.com, docs.excalidraw.com, docs.expo.dev, docs.github.com, download.pytorch.org, embed.reddit.com, en.wikipedia.org, encoding.spec.whatwg.org, esm.sh, example.com, excalidraw-room-persistence.firebaseio.com, fetch.spec.whatwg.org, fly.io, giphy.com, gist.github.com, github.com, inference-api.nousresearch.com, infra.spec.whatwg.org, jimmy.warting.se, json.excalidraw.com, jsonplaceholder.typicode.com, langium.org, libraries.excalidraw.com, mermaid.js.org, mimesniff.spec.whatwg.org, nodejs.org, openrouter.ai, orm.drizzle.team, oss-ai.excalidraw.com, oss-collab.excalidraw.com
Oversized source lightweight scan
dist/dashboard/public/assets/index-C2PMO6nB.js3.55 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsProtestwarewww.w3.org
dist/dashboard/server.js2.10 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsapi.github.comapi.openai.comgithub.comopenrouter.ai
dist/dashboard/src-DFWsHM-l.js5.71 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsgithub.com

Source & flagged code

19 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,m.push... t};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,m.push... t};
Critical
Secret Pattern

AWS access key ID in dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js

dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView on unpkg · L22
dist/remote-workspace-CjwtcgOj.jsView file
9import chalk from "chalk"; L10: import { exec } from "child_process"; L11: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/remote-workspace-CjwtcgOj.jsView on unpkg · L9
21init_projects(); L22: const execAsync = promisify(exec); L23: async function createRemoteWorkspacePromise(issueId, options = {}) {
High
Shell

Package source references shell execution.

dist/remote-workspace-CjwtcgOj.jsView on unpkg · L21
scripts/sqlite.mjsView file
2L3: const require = createRequire(import.meta.url); L4: let warningFilterInstalled = false;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/sqlite.mjsView on unpkg · L2
dist/cli/index.jsView file
10814if (flyInstalled) try { L10815: const { stdout } = await execAsync$14("fly auth whoami", { timeout: 1e4 }); L10816: console.log(` ${chalk.dim(" User: " + stdout.trim())}`); ... L10820: console.log(""); L10821: if (process.env.FLY_API_TOKEN) { L10822: console.log(" FLY_API_TOKEN is set but authentication check failed."); L10823: console.log(" Verify your token is valid at: https://fly.io/user/personal_access_tokens"); L10824: } else {
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/cli/index.jsView on unpkg · L10814
86import { parseDocument } from "yaml"; L87: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L88: import { existsSync as existsSync$1, mkdirSync as mkdirSync$1, readFileSync as readFileSync$1, readdirSync as readdirSync$1, readlinkSync as readlinkSync$1, realpathSync as realpat... ... L112: import { createInterface as createInterface$2 } from "readline"; L113: import { stdin, stdout } from "node:process"; L114: import { pathToFileURL } from "node:url"; ... L251: async function contextListCommand(options = {}) { L252: const cwd = process.cwd(); L253: const layers = []; ... L301: if (resolved.note) console.log(chalk.dim(`Note: ${resolved.note}`)); L302: const editor = process.env.VISUAL || process.env.EDITOR || "nano"; L303: const res = spawnSync(editor, [resolved.file], { stdio: "inherit" });
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/cli/index.jsView on unpkg · L86
86Trigger-reachable chain: manifest.bin -> dist/cli/index.js L86: import { parseDocument } from "yaml"; L87: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L88: import { existsSync as existsSync$1, mkdirSync as mkdirSync$1, readFileSync as readFileSync$1, readdirSync as readdirSync$1, readlinkSync as readlinkSync$1, realpathSync as realpat... ... L112: import { createInterface as createInterface$2 } from "readline"; L113: import { stdin, stdout } from "node:process"; L114: import { pathToFileURL } from "node:url"; ... L251: async function contextListCommand(options = {}) { L252: const cwd = process.cwd(); L253: const layers = []; ... L301: if (resolved.note) console.log(chalk.dim(`Note: ${resolved.note}`)); L302: const editor = process.env.VISUAL || process.env.EDITOR || "nano"; L303: const res = spawnSync(editor, [resolved.file], { stdio: "inherit" });
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L86
20334console.error(chalk.dim("\nOr download manually from:")); L20335: console.error(chalk.dim(" https://github.[redacted]-compress")); L20336: console.error(chalk.dim(` → place at ${compressDir}/`)); ... L20341: try { L20342: const { stdout, stderr } = await execAsync$7(`python3 __main__.py "${resolvedFile}"`, { L20343: cwd: compressDir, ... L20346: }); L20347: if (stdout) process.stdout.write(stdout); L20348: if (stderr) process.stderr.write(stderr);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L20334
86import { parseDocument } from "yaml"; L87: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L88: import { existsSync as existsSync$1, mkdirSync as mkdirSync$1, readFileSync as readFileSync$1, readdirSync as readdirSync$1, readlinkSync as readlinkSync$1, realpathSync as realpat... ... L112: import { createInterface as createInterface$2 } from "readline"; L113: import { stdin, stdout } from "node:process"; L114: import { pathToFileURL } from "node:url"; ... L251: async function contextListCommand(options = {}) { L252: const cwd = process.cwd(); L253: const layers = []; ... L301: if (resolved.note) console.log(chalk.dim(`Note: ${resolved.note}`)); L302: const editor = process.env.VISUAL || process.env.EDITOR || "nano"; L303: const res = spawnSync(editor, [resolved.file], { stdio: "inherit" });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/index.jsView on unpkg · L86
9621} catch { L9622: execSync("npm install -g @ast-grep/cli", { L9623: stdio: "pipe",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L9621
86import { parseDocument } from "yaml"; L87: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L88: import { existsSync as existsSync$1, mkdirSync as mkdirSync$1, readFileSync as readFileSync$1, readdirSync as readdirSync$1, readlinkSync as readlinkSync$1, realpathSync as realpat... ... L112: import { createInterface as createInterface$2 } from "readline"; L113: import { stdin, stdout } from "node:process"; L114: import { pathToFileURL } from "node:url"; ... L251: async function contextListCommand(options = {}) { L252: const cwd = process.cwd(); L253: const layers = []; ... L301: if (resolved.note) console.log(chalk.dim(`Note: ${resolved.note}`)); L302: const editor = process.env.VISUAL || process.env.EDITOR || "nano"; L303: const res = spawnSync(editor, [resolved.file], { stdio: "inherit" });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L86
dist/agents-CAXhuvvP.jsView file
44import { parse as parse$2 } from "yaml"; L45: import { exec, execSync } from "child_process"; L46: import { chmodSync as chmodSync$1, closeSync, constants, createReadStream as createReadStream$1, existsSync as existsSync$1, mkdirSync as mkdirSync$1, openSync as openSync$1, readF... ... L61: import { exec as exec$1, execFile as execFile$1 } from "node:child_process"; L62: import { request } from "node:http"; L63: //#region src/lib/overdeck/agent-rollback-state.ts ... L101: init_internal_token(); L102: DASHBOARD_URL = process.env["OVERDECK_DASHBOARD_URL"] || "http://127.0.0.1:3011"; L103: DEFAULT_TIMEOUT_MS = 1500; ... L117: const body = yield* Effect.tryPromise({ L118: try: () => res.json(), L119: catch: (cause) => new AgentRuntimeFetchError({
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/agents-CAXhuvvP.jsView on unpkg · L44
dist/caveman-compress/__init__.pyView file
path = dist/caveman-compress/__init__.py kind = build_helper sizeBytes = 224 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/caveman-compress/__init__.pyView on unpkg
dist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2View file
path = [redacted]-grotesk-latin-ext-400-normal-CfP_5XZW.woff2 kind = high_entropy_blob sizeBytes = 12256 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2View on unpkg
dist/dashboard/server.jsView file
path = dist/dashboard/server.js kind = oversized_source_file sizeBytes = 2204538 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/dashboard/server.jsView on unpkg
dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.jsView file
1patternName = google_api_key severity = high line = 1 matchedText = var e={V...AZZX
High
Secret Pattern

Google API key in dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.js

dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.jsView on unpkg · L1

Findings

6 Critical9 High8 Medium7 Low
CriticalCritical Secretdist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js
CriticalSame File Env Network Executiondist/cli/index.js
CriticalCredential Exfiltrationdist/agents-CAXhuvvP.js
CriticalDownload Executedist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalSecret Patterndist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/remote-workspace-CjwtcgOj.js
HighShelldist/remote-workspace-CjwtcgOj.js
HighCommand Output Exfiltrationdist/cli/index.js
HighSandbox Evasion Gated Capabilitydist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobdist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2
HighOversized Source Filedist/dashboard/server.js
HighSecret Patterndist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/sqlite.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumProtestware
MediumShips Build Helperdist/caveman-compress/__init__.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings