registry  /  overplane  /  0.0.6

overplane@0.0.6

Overplane CLI - evolve verified software. Installs the native Go binary from GitHub releases.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

The package installs a package-owned native CLI binary from GitHub releases and later launches it when the overplane command is run. No confirmed malicious behavior or foreign control-surface mutation is present in the JavaScript source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall downloads binary; user running overplane launches it
Impact
Package-local binary installation and CLI execution only; no source-confirmed exfiltration or persistence
Mechanism
verified native binary downloader and thin launcher
Rationale
The suspicious signals are explained by a disclosed, package-aligned native CLI installer that downloads from the project's GitHub release and verifies sha256 before writing into its own dist directory. Static inspection found no exfiltration, stealth persistence, broad AI-agent mutation, destructive behavior, or remote code execution beyond the intended user-invoked CLI binary.
Evidence
package.jsoninstall.jsbin/overplane.jsREADME.mddist/overplanedist/overplane.exe
Network endpoints2
github.com/overplane/overplane/releases/download/v0.0.6/checksums.txtgithub.com/overplane/overplane/releases/download/v0.0.6/overplane_0.0.6_<platform>_<arch>

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js downloads a platform native binary during install
  • install.js allows OVERPLANE_DOWNLOAD_BASE override for artifact source
  • bin/overplane.js executes downloaded dist/overplane via spawnSync at user invocation
Evidence against
  • Download URL is package-aligned: github.com/overplane/overplane/releases/download/v0.0.6
  • install.js verifies downloaded binary sha256 against checksums.txt before writing
  • No credential, env, home directory, npmrc, SSH, or agent config harvesting found
  • No eval/vm/Function, shell command execution, persistence, or destructive file operations found
  • Writes are limited to package-local dist/overplane or dist/overplane.exe
  • README and manifest accurately describe native binary installation behavior
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.88 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings