registry  /  @ovrdev/cli  /  0.1.0-alpha.25

@ovrdev/cli@0.1.0-alpha.25

Override — the dev control plane: environments, repos, services, tasks

AI Security Review

scanned 23m ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `ovr bootstrap`, selects Claude integration, and confirms the prompt.
Impact
Can request a local agent to alter shell/Claude status-line configuration after explicit consent; no stealthy install-time control-surface mutation was confirmed.
Mechanism
Interactive Claude Code configuration handoff and node-pty helper chmod.
Rationale
No concrete malware, exfiltration, remote payload, or unconsented AI-agent control-surface mutation was found. The explicit agent-assisted configuration feature is a real elevated capability that warrants a warning under the stated policy.
Evidence
package.jsonscripts/postinstall.mjsdist/cli/index.jsnode_modules/node-pty/prebuilds/<platform>/spawn-helper~/.claude/settings.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli/index.js` can invoke the local `claude` CLI to request edits to `~/.claude/settings.json`.
  • This Claude configuration flow is reachable only through interactive `ovr bootstrap` selections and confirmation.
  • `package.json` defines `postinstall`; `scripts/postinstall.mjs` chmods `node-pty` spawn-helper files in reachable node_modules layouts.
Evidence against
  • `scripts/postinstall.mjs` performs no network access, credential collection, shell execution, or AI-agent configuration mutation.
  • The Claude action is explicit, interactive, and delegated to the user's installed `claude` command rather than silently editing configs.
  • Network fetches in `dist/cli/index.js` are limited to a user-supplied team-config URL; no fixed remote endpoint or exfiltration path was found.
  • Project config dynamic import and setup command execution require user-invoked CLI operations on workspace repositories.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 24 file(s), 476 KB of source, external domains: 127.0.0.1

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
39import * as clack2 from "@clack/prompts"; L40: import { execFileSync as execFileSync3 } from "node:child_process"; L41: import { appendFileSync, existsSync as existsSync9, mkdirSync as mkdirSync11, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "n... ... L54: try { L55: return JSON.parse(readFileSync(answersPath(dir), "utf8")); L56: } catch { ... L106: async function promptAsk(repo, key, spec) { L107: const rl = createInterface({ input: process.stdin, output: process.stderr }); L108: try { ... L115: } L116: process.stderr.write(`? ${repo}: ${spec.question} L117: `);
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/cli/index.jsView on unpkg · L39
39Trigger-reachable chain: manifest.bin -> dist/cli/index.js L39: import * as clack2 from "@clack/prompts"; L40: import { execFileSync as execFileSync3 } from "node:child_process"; L41: import { appendFileSync, existsSync as existsSync9, mkdirSync as mkdirSync11, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "n... ... L54: try { L55: return JSON.parse(readFileSync(answersPath(dir), "utf8")); L56: } catch { ... L106: async function promptAsk(repo, key, spec) { L107: const rl = createInterface({ input: process.stdin, output: process.stderr }); L108: try { ... L115: } L116: process.stderr.write(`? ${repo}: ${spec.question} L117: `);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L39
141return null; L142: const mod = await import(pathToFileURL(file).href); L143: const config = mod.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L141
39import * as clack2 from "@clack/prompts"; L40: import { execFileSync as execFileSync3 } from "node:child_process"; L41: import { appendFileSync, existsSync as existsSync9, mkdirSync as mkdirSync11, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "n... ... L54: try { L55: return JSON.parse(readFileSync(answersPath(dir), "utf8")); L56: } catch { ... L106: async function promptAsk(repo, key, spec) { L107: const rl = createInterface({ input: process.stdin, output: process.stderr }); L108: try { ... L115: } L116: process.stderr.write(`? ${repo}: ${spec.question} L117: `);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index.jsView on unpkg · L39

Findings

2 Critical1 High5 Medium6 Low
CriticalPersistence Backdoordist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/cli/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License