registry  /  openwork-orchestrator  /  0.17.9

openwork-orchestrator@0.17.9

OpenWork host orchestrator for opencode + OpenWork server + opencode-router

AI Security Review

scanned 2d ago · by lpm-firewall-ai

The package has an install-time fallback downloader for its own native CLI binary, with a base URL override via environment variable. No confirmed malicious behavior or unconsented mutation of external agent control surfaces was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; runtime when openwork CLI is invoked
Impact
Installs or runs the package's platform-specific openwork binary
Mechanism
platform binary resolution and fallback download
Rationale
Static source inspection shows a conventional native-binary wrapper package: postinstall verifies optional platform packages and downloads a same-version fallback binary into its own package directory if needed. The network and process execution primitives are package-aligned, user/install triggered, and no concrete attack surface such as exfiltration, persistence, or AI-agent control hijack is present.
Evidence
package.jsonpostinstall.mjsbin/openworkdist/bin/openworkdist/bin/openwork.exe
Network endpoints1
github.com/different-ai/openwork/releases/download/openwork-orchestrator-v${version}/${asset}

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall hook: node ./postinstall.mjs
  • postinstall.mjs downloads a platform fallback binary from GitHub releases if optional platform package is absent
  • postinstall.mjs permits OPENWORK_ORCHESTRATOR_DOWNLOAD_BASE_URL override for fallback binary source
  • bin/openwork executes platform binary or OPENWORK_ORCHESTRATOR_BIN_PATH override when user invokes CLI
Evidence against
  • No writes to foreign AI-agent control surfaces, shell startup files, VCS hooks, or OS persistence paths observed
  • Install hook only verifies optional platform package or writes fallback binary under package dist/bin
  • Network endpoint is package-aligned GitHub release URL for same version
  • No credential harvesting, filesystem enumeration, destructive behavior, or exfiltration observed in inspected JS files
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.34 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings