AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Installation only repairs execute permissions on an existing `node-pty` helper; runtime capabilities require explicit `ovr` commands and project configuration.
Decision evidence
public snapshot- `scripts/postinstall.mjs` only chmods `node-pty`'s existing `spawn-helper` executable.
- No install-time network, shell, config-loader, or AI-agent-control-surface behavior found.
- `dist/cli/index.js` dynamically imports only an explicit repository `ovr.config.*` during CLI use.
- Network code is local readiness probing or explicit user-configured/bootstrap URLs.
- Process execution launches configured development services, git tooling, or an interactive shell after CLI commands.
Source & flagged code
7 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource writes persistence or remote-access backdoor material.
dist/cli/index.jsView on unpkg · L39A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L39This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli/index.jsView on unpkgPackage source references dynamic require/import behavior.
dist/cli/index.jsView on unpkg · L141Package source references weak cryptographic algorithms.
dist/cli/index.jsView on unpkg · L39