AI Security Review
scanned 2h ago · by lpm-firewall-aiPostinstall downloads and installs a package-local native binary. Source verifies its SHA-256 against a release checksum before writing it; no concrete malicious behavior is present.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation executes `postinstall`; invoking `overplane` launches `dist/overplane`.
Impact
Installs and executes a verified-by-release-checksum native payload; source shows no credential exfiltration, persistence, or foreign control-surface mutation.
Mechanism
version-pinned native binary bootstrap and local CLI launcher
Rationale
The install hook is a disclosed native-binary bootstrapper with checksum verification and a package-version-aligned GitHub release endpoint. Static source inspection finds no malicious chain; the environment-variable override is an explicit installer test hook rather than package-controlled exfiltration or persistence.
Evidence
package.jsoninstall.jsbin/overplane.jsREADME.mddist/overplane
Network endpoints1
github.com/overplane/overplane/releases/download/v0.0.8
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` runs `node install.js` during `postinstall`.
- `install.js` downloads a platform-native executable and writes it executable under `dist/`.
- `OVERPLANE_DOWNLOAD_BASE` can replace the release host at install time.
Evidence against
- `install.js` derives the default download URL from the package version and GitHub release path.
- Downloaded bytes are SHA-256 checked against the matching `checksums.txt` entry before writing.
- No source reads credentials, harvests files, invokes shells, or mutates AI-agent configuration.
- `bin/overplane.js` only launches the installed package-local binary with user CLI arguments.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings