registry  /  @override-dev/cli  /  0.1.0-alpha.9

@override-dev/cli@0.1.0-alpha.9

Override — the dev control plane: environments, repos, services, tasks

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm postinstall for chmod repair; explicit `ovr bootstrap` confirmation for Claude/shell integration
Impact
May modify node-pty helper permissions during install and, with user confirmation, ask Claude Code to edit local shell/Claude status-line configuration.
Mechanism
package-aligned lifecycle chmod and opt-in local config automation
Rationale
Source inspection does not show unconsented preinstall/install/postinstall mutation of a broad AI-agent control surface, exfiltration, remote payload execution, or stealth persistence. Because the package includes opt-in Claude Code configuration automation, it is better treated as a warning-level agent capability risk rather than malicious.
Evidence
package.jsonscripts/postinstall.mjsdist/cli/index.jsdist/index-85xjm9cd.jsdist/plugins/supabase.jsnode_modules/node-pty/prebuilds/*/spawn-helpernode_modules/.pnpm/node-pty@*/node_modules/node-pty/prebuilds/*/spawn-helper~/.zshrc~/.bashrc~/.claude/settings.json.ovr/answers.json.ovr/setupovr.config.mts
Network endpoints2
user-supplied http(s) URLs in `ovr config import/pull`localhost/127.0.0.1 readiness and service URLs

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall script scripts/postinstall.mjs
  • scripts/postinstall.mjs chmods node-pty prebuilds/*/spawn-helper under reachable node_modules trees
  • dist/cli/index.js bootstrap can hand off to claude with a prompt to edit shell prompt and ~/.claude/settings.json after interactive confirmation
  • dist/cli/index.js dynamically imports local ovr.config.* files and runs user-declared setup commands during explicit CLI workflows
Evidence against
  • No install-time network access or credential harvesting found in package.json or scripts/postinstall.mjs
  • Postinstall is limited to node-pty spawn-helper executable bit repair and debug logging via OVR_POSTINSTALL_DEBUG
  • Claude Code config mutation is opt-in inside cmdBootstrap, not automatic during install or import
  • Network fetches are user-supplied team config/readiness URLs or localhost-oriented service checks
  • child_process usage is core CLI behavior for git, package managers, shells, docker, supabase, infisical, and configured services
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 13 file(s), 279 KB of source, external domains: 127.0.0.1

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
38import * as clack2 from "@clack/prompts"; L39: import { execFileSync as execFileSync3 } from "node:child_process"; L40: import { appendFileSync, existsSync as existsSync6, mkdirSync as mkdirSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync7 } from "node:fs"; ... L44: // src/util/color.ts L45: var useColor = process.stdout.isTTY && !process.env.NO_COLOR; L46: var paint = (code, s) => useColor ? `\x1B[${code}m${s}\x1B[0m` : s; ... L56: import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; L57: import { createServer } from "node:net"; L58: import { dirname, join } from "node:path"; ... L63: try { L64: return JSON.parse(readFileSync(file, "utf8")); L65: } catch {
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/cli/index.jsView on unpkg · L38
38Trigger-reachable chain: manifest.bin -> dist/cli/index.js L38: import * as clack2 from "@clack/prompts"; L39: import { execFileSync as execFileSync3 } from "node:child_process"; L40: import { appendFileSync, existsSync as existsSync6, mkdirSync as mkdirSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync7 } from "node:fs"; ... L44: // src/util/color.ts L45: var useColor = process.stdout.isTTY && !process.env.NO_COLOR; L46: var paint = (code, s) => useColor ? `\x1B[${code}m${s}\x1B[0m` : s; ... L56: import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; L57: import { createServer } from "node:net"; L58: import { dirname, join } from "node:path"; ... L63: try { L64: return JSON.parse(readFileSync(file, "utf8")); L65: } catch {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L38
matchType = previous_version_dangerous_delta matchedPackage = @override-dev/cli@0.1.0-alpha.7 matchedIdentity = npm:QG92ZXJyaWRlLWRldi9jbGk:0.1.0-alpha.7 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
397return null; L398: const mod = await import(pathToFileURL(file).href); L399: const config = mod.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L397
38import * as clack2 from "@clack/prompts"; L39: import { execFileSync as execFileSync3 } from "node:child_process"; L40: import { appendFileSync, existsSync as existsSync6, mkdirSync as mkdirSync8, readFileSync as readFileSync6, writeFileSync as writeFileSync7 } from "node:fs"; ... L44: // src/util/color.ts L45: var useColor = process.stdout.isTTY && !process.env.NO_COLOR; L46: var paint = (code, s) => useColor ? `\x1B[${code}m${s}\x1B[0m` : s; ... L56: import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; L57: import { createServer } from "node:net"; L58: import { dirname, join } from "node:path"; ... L63: try { L64: return JSON.parse(readFileSync(file, "utf8")); L65: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index.jsView on unpkg · L38

Findings

3 Critical1 High5 Medium7 Low
CriticalPersistence Backdoordist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License