registry  /  @override-dev/cli  /  0.1.0-alpha.12

@override-dev/cli@0.1.0-alpha.12

Override — the dev control plane: environments, repos, services, tasks

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs ovr bootstrap/setup/run/config import or npm postinstall.
Impact
Can write ovr config/data/log files, project .ovr files, shell rc integration if accepted, and may ask Claude Code to edit ~/.claude/settings.json after user confirmation.
Mechanism
developer workflow orchestration with explicit shell/git/config actions; postinstall chmods dependency helper
Rationale
The package is not malicious by static inspection, but it includes explicit user-command agent configuration setup via Claude Code bootstrap handoff, which fits the warn policy rather than publish block. Scanner persistence/key findings are package-aligned local service key/secret storage and workflow orchestration.
Evidence
package.jsonscripts/postinstall.mjsdist/cli/index.jsdist/index-bj59btcy.jsdist/index-34kn28k6.jsdist/plugins/shell.jsdist/plugins/supabase.jsnode_modules/node-pty/prebuilds/*/spawn-helper~/.config/ovr/config.json~/.config/ovr/ports.json~/.config/ovr/secrets.json~/.config/ovr/keys.json.ovr/answers.json.ovr/setup~/.zshrc~/.bashrc~/.claude/settings.json
Network endpoints5
github.comlocalhost127.0.0.1user-supplied http(s) config URLInfisical via infisical CLI

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json has postinstall hook scripts/postinstall.mjs.
  • scripts/postinstall.mjs chmods node-pty prebuild spawn-helper files under nearby node_modules.
  • dist/cli/index.js bootstrap can prompt and invoke claude with a task to edit shell prompt or ~/.claude/settings.json.
  • dist/cli/index.js executes user/workspace setup commands and service shell commands during explicit ovr setup/run.
  • dist/cli/index.js can import team config from a user-provided http(s) URL.
Evidence against
  • No hardcoded exfiltration endpoint or credential upload found.
  • postinstall is limited to node-pty spawn-helper chmod and has no network, shell execution, or AI-agent config writes.
  • CLI network/process/file operations are tied to explicit dev-control-plane commands: git, Infisical CLI, Supabase/Docker, shell services.
  • Secrets/keys are generated and stored under ovr config/data paths for service use, not harvested from arbitrary files.
  • Exported modules define helpers/plugins and do not run hidden behavior on import.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 14 file(s), 292 KB of source, external domains: 127.0.0.1

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
38import * as clack2 from "@clack/prompts"; L39: import { execFileSync as execFileSync3 } from "node:child_process"; L40: import { appendFileSync, existsSync as existsSync6, mkdirSync as mkdirSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync7 } from "node:fs"; ... L44: // src/util/color.ts L45: var useColor = process.stdout.isTTY && !process.env.NO_COLOR; L46: var paint = (code, s) => useColor ? `\x1B[${code}m${s}\x1B[0m` : s; ... L56: import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; L57: import { createServer } from "node:net"; L58: import { dirname, join } from "node:path"; ... L63: try { L64: return JSON.parse(readFileSync(file, "utf8")); L65: } catch {
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/cli/index.jsView on unpkg · L38
38Trigger-reachable chain: manifest.bin -> dist/cli/index.js L38: import * as clack2 from "@clack/prompts"; L39: import { execFileSync as execFileSync3 } from "node:child_process"; L40: import { appendFileSync, existsSync as existsSync6, mkdirSync as mkdirSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync7 } from "node:fs"; ... L44: // src/util/color.ts L45: var useColor = process.stdout.isTTY && !process.env.NO_COLOR; L46: var paint = (code, s) => useColor ? `\x1B[${code}m${s}\x1B[0m` : s; ... L56: import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; L57: import { createServer } from "node:net"; L58: import { dirname, join } from "node:path"; ... L63: try { L64: return JSON.parse(readFileSync(file, "utf8")); L65: } catch {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L38
397return null; L398: const mod = await import(pathToFileURL(file).href); L399: const config = mod.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L397
38import * as clack2 from "@clack/prompts"; L39: import { execFileSync as execFileSync3 } from "node:child_process"; L40: import { appendFileSync, existsSync as existsSync6, mkdirSync as mkdirSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync7 } from "node:fs"; ... L44: // src/util/color.ts L45: var useColor = process.stdout.isTTY && !process.env.NO_COLOR; L46: var paint = (code, s) => useColor ? `\x1B[${code}m${s}\x1B[0m` : s; ... L56: import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; L57: import { createServer } from "node:net"; L58: import { dirname, join } from "node:path"; ... L63: try { L64: return JSON.parse(readFileSync(file, "utf8")); L65: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index.jsView on unpkg · L38

Findings

2 Critical1 High5 Medium7 Low
CriticalPersistence Backdoordist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License