OverTree is a local paper-writing workspace with account-based credits.
No confirmed malicious attack surface is established. Network, subprocess, update, service, and agent-skill features are tied to explicit CLI or interactive user actions rather than npm installation or import.
Package source references child process execution.
src/web-autostart.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/web-autostart.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
src/skillmesh.jsView on unpkg · L3Package source invokes a package manager install command at runtime.
src/auto-update.jsView on unpkg · L165Package ships non-JavaScript build or shell helper files.
scripts/setup-agent-toolchain-docker.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/project.jsView on unpkgPackage source references child process execution.
src/web-autostart.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/web-autostart.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
scripts/setup-agent-toolchain-docker.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/project.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
src/skillmesh.jsView on unpkg · L3Package source invokes a package manager install command at runtime.
src/auto-update.jsView on unpkg · L165