AI Security Review
scanned 12h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Installation only restores execute permission on `node-pty` helper binaries; CLI capabilities require explicit user commands and project configuration.
Decision evidence
public snapshot- `package.json` defines a `postinstall` hook.
- `scripts/postinstall.mjs` chmods only `node-pty` `spawn-helper` binaries.
- `dist/cli/index.js` can dynamically import user-owned `ovr.config.*` at CLI runtime.
- Postinstall has no network, shell, payload download, or credential access.
- Its chmod target is limited to the declared `node-pty` dependency's helper.
- Claude/shell configuration changes occur only through interactive `ovr bootstrap` confirmations.
- Runtime network use is local readiness probing or user-configured Git/service URLs.
- No AI-agent config mutation occurs during installation.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource writes persistence or remote-access backdoor material.
dist/cli/index.jsView on unpkg · L39A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L39Package source references dynamic require/import behavior.
dist/cli/index.jsView on unpkg · L141Package source references weak cryptographic algorithms.
dist/cli/index.jsView on unpkg · L39