registry  /  @overdeck/core  /  0.45.8

@overdeck/core@0.45.8

Multi-agent orchestration for AI coding assistants (Claude Code, Codex, Cursor, Gemini CLI)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A guarded postinstall refreshes executables in the already-existing package-owned `~/.overdeck/bin` directory. At configured runtime, hooks send agent events to the local Overdeck dashboard; the statusline requests Claude usage from Anthropic using the local OAuth token. No concrete malicious attack surface was established.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm postinstall after prior Overdeck initialization; explicit CLI commands or configured agent hooks
Impact
refreshes Overdeck hooks and can query Claude usage; potentially powerful but package-aligned
Mechanism
first-party hook synchronization, local agent orchestration, and user-invoked CLI tooling
Rationale
Scanner findings reflect genuine orchestration and hook capabilities, but direct source inspection found them package-aligned and guarded rather than malicious. The package warrants no firewall block or warning under the stated policy.
Evidence
package.jsonscripts/postinstall.mjssync-sources/hooks/statusline.shsync-sources/hooks/session-start-hooksync-sources/hooks/user-prompt-submit-hooksync-sources/hooks/permission-event-hooksync-sources/hooks/work-agent-stop-hookdist/agents-CQHK0CSA.jsdist/cli/index.jssync-sources/hooks/pan-hook-lib.shsync-sources/hooks/codex-notify-hook
Network endpoints3
localhost:3011api.anthropic.com/api/oauth/usagegithub.com/rtk-ai/rtk/releases/download/

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` invokes `postinstall`.
  • `scripts/postinstall.mjs` copies bundled hook executables into existing `~/.overdeck/bin`.
  • `sync-sources/hooks/statusline.sh` reads Claude OAuth credentials and calls Anthropic's usage API.
  • `dist/cli/index.js` includes explicit CLI paths that download tools or run shell commands.
Evidence against
  • Postinstall runs its copy loop only if `~/.overdeck` already exists.
  • Install writes are limited to package-owned `~/.overdeck/bin`; no install-time foreign AI-agent settings write was found.
  • Reviewed hook traffic targets the local dashboard or `api.anthropic.com`, not an unaligned collector.
  • No inspected source showed remote payload execution, arbitrary credential exfiltration, or destructive behavior.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,023 file(s), 28.6 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.cloudflare.com, api.github.com, api.hume.ai, api.kimi.com, api.linear.app, api.machines.dev, api.minimax.io, api.moonshot.ai, api.openai.com, api.vercel.com, api.voyageai.com, api.x.ai, api.z.ai, app.excalidraw.com, chevrotain.io, dashscope-intl.aliyuncs.com, developer.mozilla.org, discord.gg, docs.anthropic.com, docs.excalidraw.com, docs.expo.dev, docs.github.com, download.pytorch.org, embed.reddit.com, en.wikipedia.org, encoding.spec.whatwg.org, esm.sh, example.com, excalidraw-room-persistence.firebaseio.com, fetch.spec.whatwg.org, fly.io, giphy.com, gist.github.com, github.com, inference-api.nousresearch.com, infra.spec.whatwg.org, jimmy.warting.se, json.excalidraw.com, jsonplaceholder.typicode.com, langium.org, libraries.excalidraw.com, mermaid.js.org, mimesniff.spec.whatwg.org, nodejs.org, ollama.com, openrouter.ai, orm.drizzle.team, oss-ai.excalidraw.com
Oversized source lightweight scan
dist/dashboard/public/assets/index-rQPa7qlV.js3.61 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsProtestwaregithub.comwww.w3.org
dist/dashboard/server.js2.16 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsapi.github.comapi.openai.comgithub.comopenrouter.ai
dist/dashboard/src-BswtmojL.js5.71 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsgithub.com

Source & flagged code

20 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,m.push... t};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,m.push... t};
Critical
Secret Pattern

AWS access key ID in dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js

dist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.jsView on unpkg · L22
dist/tldr-daemon-DITOmgqp.jsView file
5import { join } from "path"; L6: import { exec } from "child_process"; L7: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/tldr-daemon-DITOmgqp.jsView on unpkg · L5
133} L134: var execAsync, TldrDaemonService, daemonRegistry; L135: var init_tldr_daemon = __esmMin((() => {
High
Shell

Package source references shell execution.

dist/tldr-daemon-DITOmgqp.jsView on unpkg · L133
scripts/sqlite.mjsView file
2L3: const require = createRequire(import.meta.url); L4: let warningFilterInstalled = false;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/sqlite.mjsView on unpkg · L2
dist/cli/index.jsView file
11232if (flyInstalled) try { L11233: const { stdout } = await execAsync$19("fly auth whoami", { timeout: 1e4 }); L11234: console.log(` ${chalk.dim(" User: " + stdout.trim())}`); ... L11238: console.log(""); L11239: if (process.env.FLY_API_TOKEN) { L11240: console.log(" FLY_API_TOKEN is set but authentication check failed."); L11241: console.log(" Verify your token is valid at: https://fly.io/user/personal_access_tokens"); L11242: } else {
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/cli/index.jsView on unpkg · L11232
85import { arch, cpus, freemem, homedir, platform, tmpdir } from "os"; L86: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L87: import { Command } from "commander"; ... L119: import { createInterface as createInterface$2 } from "readline"; L120: import { stdin, stdout } from "node:process"; L121: import { pathToFileURL } from "node:url"; ... L164: } L165: function candidateNodePaths(home = homedir()) { L166: const paths = [ ... L199: if (existsSync("/opt/homebrew/bin/brew") || existsSync("/usr/local/bin/brew")) return "brew install node@22 && brew link --overwrite node@22"; L200: return "Install Node 22 from https://nodejs.org/en/download"; L201: }
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/cli/index.jsView on unpkg · L85
85Trigger-reachable chain: manifest.bin -> dist/cli/index.js L85: import { arch, cpus, freemem, homedir, platform, tmpdir } from "os"; L86: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L87: import { Command } from "commander"; ... L119: import { createInterface as createInterface$2 } from "readline"; L120: import { stdin, stdout } from "node:process"; L121: import { pathToFileURL } from "node:url"; ... L164: } L165: function candidateNodePaths(home = homedir()) { L166: const paths = [ ... L199: if (existsSync("/opt/homebrew/bin/brew") || existsSync("/usr/local/bin/brew")) return "brew install node@22 && brew link --overwrite node@22"; L200: return "Install Node 22 from https://nodejs.org/en/download"; L201: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L85
matchType = previous_version_dangerous_delta matchedPackage = @overdeck/core@0.45.2 matchedIdentity = npm:QG92ZXJkZWNrL2NvcmU:0.45.2 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
22720console.error(chalk.dim("\nOr download manually from:")); L22721: console.error(chalk.dim(" https://github.[redacted]-compress")); L22722: console.error(chalk.dim(` → place at ${compressDir}/`)); ... L22727: try { L22728: const { stdout, stderr } = await execAsync$8(`python3 __main__.py "${resolvedFile}"`, { L22729: cwd: compressDir, ... L22732: }); L22733: if (stdout) process.stdout.write(stdout); L22734: if (stderr) process.stderr.write(stderr);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L22720
85import { arch, cpus, freemem, homedir, platform, tmpdir } from "os"; L86: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L87: import { Command } from "commander"; ... L119: import { createInterface as createInterface$2 } from "readline"; L120: import { stdin, stdout } from "node:process"; L121: import { pathToFileURL } from "node:url"; ... L164: } L165: function candidateNodePaths(home = homedir()) { L166: const paths = [ ... L199: if (existsSync("/opt/homebrew/bin/brew") || existsSync("/usr/local/bin/brew")) return "brew install node@22 && brew link --overwrite node@22"; L200: return "Install Node 22 from https://nodejs.org/en/download"; L201: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/index.jsView on unpkg · L85
10003} catch { L10004: execSync("npm install -g @ast-grep/cli", { L10005: stdio: "pipe",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L10003
85import { arch, cpus, freemem, homedir, platform, tmpdir } from "os"; L86: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "child_process"; L87: import { Command } from "commander"; ... L119: import { createInterface as createInterface$2 } from "readline"; L120: import { stdin, stdout } from "node:process"; L121: import { pathToFileURL } from "node:url"; ... L164: } L165: function candidateNodePaths(home = homedir()) { L166: const paths = [ ... L199: if (existsSync("/opt/homebrew/bin/brew") || existsSync("/usr/local/bin/brew")) return "brew install node@22 && brew link --overwrite node@22"; L200: return "Install Node 22 from https://nodejs.org/en/download"; L201: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L85
dist/agents-CQHK0CSA.jsView file
44import { homedir } from "os"; L45: import { exec, execSync } from "child_process"; L46: import { parse as parse$1, stringify } from "@iarna/toml"; ... L64: import { layer } from "@effect/platform-node/NodeServices"; L65: import { request } from "node:http"; L66: //#region src/lib/overdeck/agent-rollback-state.ts ... L104: init_internal_token(); L105: DASHBOARD_URL = process.env["OVERDECK_DASHBOARD_URL"] || "http://127.0.0.1:3011"; L106: DEFAULT_TIMEOUT_MS = 1500; ... L120: const body = yield* Effect.tryPromise({ L121: try: () => res.json(), L122: catch: (cause) => new AgentRuntimeFetchError({
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/agents-CQHK0CSA.jsView on unpkg · L44
dist/caveman-compress/__init__.pyView file
path = dist/caveman-compress/__init__.py kind = build_helper sizeBytes = 224 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/caveman-compress/__init__.pyView on unpkg
dist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2View file
path = [redacted]-grotesk-latin-ext-400-normal-CfP_5XZW.woff2 kind = high_entropy_blob sizeBytes = 12256 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2View on unpkg
dist/dashboard/src-BswtmojL.jsView file
path = dist/dashboard/src-BswtmojL.js kind = oversized_source_file sizeBytes = 5983292 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/dashboard/src-BswtmojL.jsView on unpkg
dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.jsView file
1patternName = google_api_key severity = high line = 1 matchedText = var e={V...AZZX
High
Secret Pattern

Google API key in dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.js

dist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.jsView on unpkg · L1

Findings

7 Critical9 High8 Medium7 Low
CriticalCritical Secretdist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js
CriticalSame File Env Network Executiondist/cli/index.js
CriticalCredential Exfiltrationdist/agents-CQHK0CSA.js
CriticalDownload Executedist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/cli/index.js
CriticalSecret Patterndist/dashboard/public/assets/chunk-EIO257PC-DnXo63uH.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tldr-daemon-DITOmgqp.js
HighShelldist/tldr-daemon-DITOmgqp.js
HighCommand Output Exfiltrationdist/cli/index.js
HighSandbox Evasion Gated Capabilitydist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobdist/dashboard/public/assets/space-grotesk-latin-ext-400-normal-CfP_5XZW.woff2
HighOversized Source Filedist/dashboard/src-BswtmojL.js
HighSecret Patterndist/dashboard/public/assets/chunk-ZUYEQ4TG-B82Qm37l.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/sqlite.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumProtestware
MediumShips Build Helperdist/caveman-compress/__init__.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings