registry  /  overplane  /  0.0.8

overplane@0.0.8

Overplane CLI - evolve verified software. Installs the native Go binary from GitHub releases.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Postinstall downloads and installs a package-local native binary. Source verifies its SHA-256 against a release checksum before writing it; no concrete malicious behavior is present.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation executes `postinstall`; invoking `overplane` launches `dist/overplane`.
Impact
Installs and executes a verified-by-release-checksum native payload; source shows no credential exfiltration, persistence, or foreign control-surface mutation.
Mechanism
version-pinned native binary bootstrap and local CLI launcher
Rationale
The install hook is a disclosed native-binary bootstrapper with checksum verification and a package-version-aligned GitHub release endpoint. Static source inspection finds no malicious chain; the environment-variable override is an explicit installer test hook rather than package-controlled exfiltration or persistence.
Evidence
package.jsoninstall.jsbin/overplane.jsREADME.mddist/overplane
Network endpoints1
github.com/overplane/overplane/releases/download/v0.0.8

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` runs `node install.js` during `postinstall`.
  • `install.js` downloads a platform-native executable and writes it executable under `dist/`.
  • `OVERPLANE_DOWNLOAD_BASE` can replace the release host at install time.
Evidence against
  • `install.js` derives the default download URL from the package version and GitHub release path.
  • Downloaded bytes are SHA-256 checked against the matching `checksums.txt` entry before writing.
  • No source reads credentials, harvests files, invokes shells, or mutates AI-agent configuration.
  • `bin/overplane.js` only launches the installed package-local binary with user CLI arguments.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.88 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings