AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- package.json defines install-time postinstall script
- scripts/postinstall.mjs chmods node-pty prebuild spawn-helper files under node_modules
- dist/cli/index.js bootstrap can hand off a Claude prompt to edit shell prompt or ~/.claude/settings.json after interactive confirmation
- dist/cli/index.js imports user ovr.config.* files and can run configured setup commands during explicit CLI workflows
- postinstall is limited to chmod 0755 on node-pty spawn-helper; no network, shell, credential read, or agent config writes
- Claude/shell integration is only in ovr bootstrap, interactive/user-confirmed, not install-time or import-time
- Network use is package-aligned: git clone/fetch/pull, optional team config URL import, localhost readiness/Supabase
- child_process use supports declared dev-control-plane workflows and user-configured service execution
- No evidence of credential harvesting or exfiltration endpoints
Source & flagged code
7 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource writes persistence or remote-access backdoor material.
dist/cli/index.jsView on unpkg · L38A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L38This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli/index.jsView on unpkgPackage source references dynamic require/import behavior.
dist/cli/index.jsView on unpkg · L397Package source references weak cryptographic algorithms.
dist/cli/index.jsView on unpkg · L38