AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package has user-invoked agent connector setup that installs hooks and permissions for Overlord mission workflow, which is a lifecycle risk but not unconsented install-time hijack.
Static reason
No blocking static signals were detected.
Trigger
User runs `ovld setup` or `ovld agent-setup`; hooks later run inside configured agents with `MISSION_ID`.
Impact
Prompts and permission events may be sent to the configured Overlord backend during missions.
Mechanism
first-party agent connector setup and backend protocol forwarding
Rationale
Direct source inspection shows only a benign postinstall message and user-invoked connector setup; the AI-agent hooks create real lifecycle risk but are first-party, documented, and guarded by mission environment checks. No evidence supports malicious install-time hijack, exfiltration to attacker infrastructure, remote payload execution, or destructive behavior.
Evidence
package.jsonscripts/postinstall.mjsbin/ovld.mjsdist/index.jsdist/connectors/adapters/codex/scripts/user-prompt-submit-hook.shdist/connectors/adapters/claude/scripts/permission-hook.shdist/connectors/adapters/claude/scripts/user-prompt-submit-hook.shdist/connectors/adapters/cursor/hooks/overlord-user-prompt-submit.sh
Network endpoints2
127.0.0.1:4310github.com/cooperativ-labs/OpenOverlord/releases/latest/download/
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- Explicit `ovld agent-setup` writes agent connector files and harness config in `dist/index.js`.
- Codex setup merges allow rules for `ovld protocol` and installs a local Codex plugin.
- Claude/Codex/Cursor hooks forward prompts or permission payloads to `ovld protocol` when `MISSION_ID` is set.
Evidence against
- `scripts/postinstall.mjs` only prints an install message; no install-time config mutation.
- `bin/ovld.mjs` only imports `dist/index.js` and runs the CLI on user invocation.
- Network calls use configured Overlord backend APIs with bearer auth, not hardcoded exfiltration hosts.
- Hook scripts no-op when mission env or `ovld` is absent and are connector/plugin managed.
- No obfuscated payload, credential harvesting beyond documented Overlord tokens, or destructive lifecycle behavior found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/connectors/adapters/cursor/hooks/overlord-user-prompt-submit.shView file
•path = [redacted]-user-prompt-submit.sh
kind = build_helper
sizeBytes = 4125
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
dist/connectors/adapters/cursor/hooks/overlord-user-prompt-submit.shView on unpkgFindings
1 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/connectors/adapters/cursor/hooks/overlord-user-prompt-submit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings