registry  /  @overdeck/core  /  0.45.10

@overdeck/core@0.45.10

Multi-agent orchestration for AI coding assistants (Claude Code, Codex, Cursor, Gemini CLI)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package provides an AI-agent extension lifecycle: installation refreshes first-party executables in an existing Overdeck home, while explicit workspace setup can add Claude workspace hooks. Those hooks submit agent and prompt events to an Overdeck dashboard, local by default.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm postinstall with existing `~/.overdeck`, or explicit Overdeck workspace/install commands
Impact
AI-agent prompt and runtime data can be routed to the configured Overdeck dashboard; workspace hooks can execute Overdeck-managed commands.
Mechanism
first-party hook synchronization and user-invoked Claude workspace hook registration
Rationale
No concrete malicious payload, foreign global AI-agent configuration mutation, or install-time external exfiltration was confirmed. The package nevertheless performs first-party AI-agent extension setup and prompt-routing behavior, so it should be warned rather than blocked.
Evidence
package.jsonscripts/postinstall.mjsdist/workspace-P0whzIO3.jssync-sources/hooks/pan-hook-lib.shsync-sources/hooks/user-prompt-submit-hookdist/cli/index.jssync-sources/hooks/*~/.overdeck/bin/*<workspace>/.claude/settings.json~/.overdeck/hooks/memory/*
Network endpoints1
localhost:3011

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `scripts/postinstall.mjs` on install.
  • `scripts/postinstall.mjs` copies executable hooks into `~/.overdeck/bin` when that first-party directory already exists.
  • `dist/workspace-P0whzIO3.js` writes workspace `.claude/settings.json` hooks that execute Overdeck scripts.
  • `sync-sources/hooks/user-prompt-submit-hook` sends Claude prompt data to the configured Overdeck dashboard.
Evidence against
  • Postinstall does not alter `.claude`, `.codex`, Cursor, or Gemini settings.
  • Postinstall is gated on existing `~/.overdeck` state and copies only bundled first-party hook files.
  • Hook traffic defaults to authenticated local `http://localhost:3011`; no hard-coded external exfiltration endpoint was found.
  • `curl | bash` in `dist/cli/index.js` is limited to explicit `pan install`/`pan beads upgrade` commands.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,023 file(s), 28.6 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.cloudflare.com, api.github.com, api.hume.ai, api.kimi.com, api.linear.app, api.machines.dev, api.minimax.io, api.moonshot.ai, api.openai.com, api.vercel.com, api.voyageai.com, api.x.ai, api.z.ai, app.excalidraw.com, chevrotain.io, dashscope-intl.aliyuncs.com, developer.mozilla.org, discord.gg, docs.anthropic.com, docs.excalidraw.com, docs.expo.dev, docs.github.com, download.pytorch.org, embed.reddit.com, en.wikipedia.org, encoding.spec.whatwg.org, esm.sh, example.com, excalidraw-room-persistence.firebaseio.com, fetch.spec.whatwg.org, fly.io, giphy.com, gist.github.com, github.com, inference-api.nousresearch.com, infra.spec.whatwg.org, jimmy.warting.se, json.excalidraw.com, jsonplaceholder.typicode.com, langium.org, libraries.excalidraw.com, mermaid.js.org, mimesniff.spec.whatwg.org, nodejs.org, ollama.com, openrouter.ai, orm.drizzle.team, oss-ai.excalidraw.com
Oversized source lightweight scan
dist/dashboard/public/assets/index-DdqPXf3T.js3.61 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsProtestwaregithub.comwww.w3.org
dist/dashboard/server.js2.16 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsapi.github.comapi.openai.comgithub.comopenrouter.ai
dist/dashboard/src-BswtmojL.js5.71 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsgithub.com

Source & flagged code

20 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,m.push... t};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,m.push... t};
Critical
Secret Pattern

AWS access key ID in dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js

dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView on unpkg · L22
dist/tldr-daemon-DITOmgqp.jsView file
5import { join } from "path"; L6: import { exec } from "child_process"; L7: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/tldr-daemon-DITOmgqp.jsView on unpkg · L5
133} L134: var execAsync, TldrDaemonService, daemonRegistry; L135: var init_tldr_daemon = __esmMin((() => {
High
Shell

Package source references shell execution.

dist/tldr-daemon-DITOmgqp.jsView on unpkg · L133
scripts/sqlite.mjsView file
2L3: const require = createRequire(import.meta.url); L4: let warningFilterInstalled = false;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/sqlite.mjsView on unpkg · L2
dist/cli/index.jsView file
11232if (flyInstalled) try { L11233: const { stdout } = await execAsync$19("fly auth whoami", { timeout: 1e4 }); L11234: console.log(` ${chalk.dim(" User: " + stdout.trim())}`); ... L11238: console.log(""); L11239: if (process.env.FLY_API_TOKEN) { L11240: console.log(" FLY_API_TOKEN is set but authentication check failed."); L11241: console.log(" Verify your token is valid at: https://fly.io/user/personal_access_tokens"); L11242: } else {
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/cli/index.jsView on unpkg · L11232
85import { arch, cpus, freemem, homedir, platform, tmpdir } from "os"; L86: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L87: import { Command } from "commander"; ... L119: import { createInterface as createInterface$2 } from "readline"; L120: import { stdin, stdout } from "node:process"; L121: import { pathToFileURL } from "node:url"; ... L164: } L165: function candidateNodePaths(home = homedir()) { L166: const paths = [ ... L199: if (existsSync("/opt/homebrew/bin/brew") || existsSync("/usr/local/bin/brew")) return "brew install node@22 && brew link --overwrite node@22"; L200: return "Install Node 22 from https://nodejs.org/en/download"; L201: }
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/cli/index.jsView on unpkg · L85
85Trigger-reachable chain: manifest.bin -> dist/cli/index.js L85: import { arch, cpus, freemem, homedir, platform, tmpdir } from "os"; L86: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L87: import { Command } from "commander"; ... L119: import { createInterface as createInterface$2 } from "readline"; L120: import { stdin, stdout } from "node:process"; L121: import { pathToFileURL } from "node:url"; ... L164: } L165: function candidateNodePaths(home = homedir()) { L166: const paths = [ ... L199: if (existsSync("/opt/homebrew/bin/brew") || existsSync("/usr/local/bin/brew")) return "brew install node@22 && brew link --overwrite node@22"; L200: return "Install Node 22 from https://nodejs.org/en/download"; L201: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L85
22720console.error(chalk.dim("\nOr download manually from:")); L22721: console.error(chalk.dim(" https://github.[redacted]-compress")); L22722: console.error(chalk.dim(` → place at ${compressDir}/`)); ... L22727: try { L22728: const { stdout, stderr } = await execAsync$8(`python3 __main__.py "${resolvedFile}"`, { L22729: cwd: compressDir, ... L22732: }); L22733: if (stdout) process.stdout.write(stdout); L22734: if (stderr) process.stderr.write(stderr);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L22720
85import { arch, cpus, freemem, homedir, platform, tmpdir } from "os"; L86: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L87: import { Command } from "commander"; ... L119: import { createInterface as createInterface$2 } from "readline"; L120: import { stdin, stdout } from "node:process"; L121: import { pathToFileURL } from "node:url"; ... L164: } L165: function candidateNodePaths(home = homedir()) { L166: const paths = [ ... L199: if (existsSync("/opt/homebrew/bin/brew") || existsSync("/usr/local/bin/brew")) return "brew install node@22 && brew link --overwrite node@22"; L200: return "Install Node 22 from https://nodejs.org/en/download"; L201: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/index.jsView on unpkg · L85
10003} catch { L10004: execSync("npm install -g @ast-grep/cli", { L10005: stdio: "pipe",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L10003
85import { arch, cpus, freemem, homedir, platform, tmpdir } from "os"; L86: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L87: import { Command } from "commander"; ... L119: import { createInterface as createInterface$2 } from "readline"; L120: import { stdin, stdout } from "node:process"; L121: import { pathToFileURL } from "node:url"; ... L164: } L165: function candidateNodePaths(home = homedir()) { L166: const paths = [ ... L199: if (existsSync("/opt/homebrew/bin/brew") || existsSync("/usr/local/bin/brew")) return "brew install node@22 && brew link --overwrite node@22"; L200: return "Install Node 22 from https://nodejs.org/en/download"; L201: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L85
dist/agents-CQHK0CSA.jsView file
44import { homedir } from "os"; L45: import { exec, execSync } from "child_process"; L46: import { parse as parse$1, stringify } from "@iarna/toml"; ... L64: import { layer } from "@effect/platform-node/NodeServices"; L65: import { request } from "node:http"; L66: //#region src/lib/overdeck/agent-rollback-state.ts ... L104: init_internal_token(); L105: DASHBOARD_URL = process.env["OVERDECK_DASHBOARD_URL"] || "http://127.0.0.1:3011"; L106: DEFAULT_TIMEOUT_MS = 1500; ... L120: const body = yield* Effect.tryPromise({ L121: try: () => res.json(), L122: catch: (cause) => new AgentRuntimeFetchError({
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/agents-CQHK0CSA.jsView on unpkg · L44
dist/caveman-compress/__init__.pyView file
path = dist/caveman-compress/__init__.py kind = build_helper sizeBytes = 224 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/caveman-compress/__init__.pyView on unpkg
dist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2View file
path = [redacted]-grotesk-latin-ext-400-normal-CfP_5XZW.woff2 kind = high_entropy_blob sizeBytes = 12256 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2View on unpkg
dist/dashboard/src-BswtmojL.jsView file
path = dist/dashboard/src-BswtmojL.js kind = oversized_source_file sizeBytes = 5983292 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/dashboard/src-BswtmojL.jsView on unpkg
dist/dashboard/public/assets/ganttDiagram-6RSMTGT7-DQ3nocJU.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @overdeck/core@0.45.8 matchedIdentity = npm:QG92ZXJkZWNrL2NvcmU:0.45.8 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/dashboard/public/assets/ganttDiagram-6RSMTGT7-DQ3nocJU.jsView on unpkg
dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.jsView file
1patternName = google_api_key severity = high line = 1 matchedText = var e={V...AZZX
High
Secret Pattern

Google API key in dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.js

dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.jsView on unpkg · L1

Findings

7 Critical9 High8 Medium7 Low
CriticalCritical Secretdist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js
CriticalSame File Env Network Executiondist/cli/index.js
CriticalCredential Exfiltrationdist/agents-CQHK0CSA.js
CriticalDownload Executedist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/dashboard/public/assets/ganttDiagram-6RSMTGT7-DQ3nocJU.js
CriticalSecret Patterndist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tldr-daemon-DITOmgqp.js
HighShelldist/tldr-daemon-DITOmgqp.js
HighCommand Output Exfiltrationdist/cli/index.js
HighSandbox Evasion Gated Capabilitydist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobdist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2
HighOversized Source Filedist/dashboard/src-BswtmojL.js
HighSecret Patterndist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/sqlite.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumProtestware
MediumShips Build Helperdist/caveman-compress/__init__.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings