registry  /  @ovrdev/cli  /  0.1.0-alpha.24

@ovrdev/cli@0.1.0-alpha.24

Override — the dev control plane: environments, repos, services, tasks

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Install-time behavior only restores executable permission on the package dependency's `node-pty` helper. Runtime configuration, shell integration, Claude status-line setup, network imports, and command execution are explicit CLI/workspace actions.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Install runs the limited postinstall hook; interactive CLI commands activate optional workspace setup.
Impact
No unconsented persistence, credential exfiltration, remote payload execution, or foreign AI-agent control-surface mutation was found.
Mechanism
Local PTY helper permission repair and user-invoked development workspace orchestration.
Rationale
Scanner persistence and lifecycle hints are explained by a narrowly scoped node-pty chmod repair and interactive bootstrap functionality. Source inspection found no concrete malicious chain or nonconsensual AI-agent configuration change.
Evidence
package.jsonscripts/postinstall.mjsdist/cli/index.jsREADME.mdnode_modules/node-pty/prebuilds/<platform>/spawn-helperovr.config.mtsovr.config.tsovr.config.jsovr.config.mjs~/.claude/settings.json

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `scripts/postinstall.mjs` only chmods node-pty's local `spawn-helper` to 0755.
    • Postinstall has no network, shell execution, credential reads, or agent-config mutation.
    • `dist/cli/index.js` Claude and shell setup is reached only through interactive `ovr bootstrap` confirmations.
    • Remote fetch accepts a user-entered bootstrap import URL; no hard-coded collection endpoint exists.
    • Dynamic import loads only a repository's explicit `ovr.config.*` during CLI use.
    • Secret, port, and environment registries store workspace state under the package config directory; no exfiltration path found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 24 file(s), 470 KB of source, external domains: 127.0.0.1

    Source & flagged code

    7 flagged · loading source
    package.jsonView file
    scripts.postinstall = node scripts/postinstall.mjs
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node scripts/postinstall.mjs
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg
    dist/cli/index.jsView file
    39import * as clack2 from "@clack/prompts"; L40: import { execFileSync as execFileSync3 } from "node:child_process"; L41: import { appendFileSync, existsSync as existsSync9, mkdirSync as mkdirSync11, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "n... ... L54: try { L55: return JSON.parse(readFileSync(answersPath(dir), "utf8")); L56: } catch { ... L106: async function promptAsk(repo, key, spec) { L107: const rl = createInterface({ input: process.stdin, output: process.stderr }); L108: try { ... L115: } L116: process.stderr.write(`? ${repo}: ${spec.question} L117: `);
    Critical
    Persistence Backdoor

    Source writes persistence or remote-access backdoor material.

    dist/cli/index.jsView on unpkg · L39
    39Trigger-reachable chain: manifest.bin -> dist/cli/index.js L39: import * as clack2 from "@clack/prompts"; L40: import { execFileSync as execFileSync3 } from "node:child_process"; L41: import { appendFileSync, existsSync as existsSync9, mkdirSync as mkdirSync11, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "n... ... L54: try { L55: return JSON.parse(readFileSync(answersPath(dir), "utf8")); L56: } catch { ... L106: async function promptAsk(repo, key, spec) { L107: const rl = createInterface({ input: process.stdin, output: process.stderr }); L108: try { ... L115: } L116: process.stderr.write(`? ${repo}: ${spec.question} L117: `);
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cli/index.jsView on unpkg · L39
    matchType = previous_version_dangerous_delta matchedPackage = @ovrdev/cli@0.1.0-alpha.23 matchedIdentity = npm:QG92cmRldi9jbGk:0.1.0-alpha.23 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/cli/index.jsView on unpkg
    141return null; L142: const mod = await import(pathToFileURL(file).href); L143: const config = mod.default ?? mod;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/cli/index.jsView on unpkg · L141
    39import * as clack2 from "@clack/prompts"; L40: import { execFileSync as execFileSync3 } from "node:child_process"; L41: import { appendFileSync, existsSync as existsSync9, mkdirSync as mkdirSync11, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "n... ... L54: try { L55: return JSON.parse(readFileSync(answersPath(dir), "utf8")); L56: } catch { ... L106: async function promptAsk(repo, key, spec) { L107: const rl = createInterface({ input: process.stdin, output: process.stderr }); L108: try { ... L115: } L116: process.stderr.write(`? ${repo}: ${spec.question} L117: `);
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/cli/index.jsView on unpkg · L39

    Findings

    3 Critical1 High5 Medium6 Low
    CriticalPersistence Backdoordist/cli/index.js
    CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
    CriticalPrevious Version Dangerous Deltadist/cli/index.js
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumDynamic Requiredist/cli/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/cli/index.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License