registry  /  ozali  /  0.7.1

ozali@0.7.1

Bootstrap interactivo de IA por equipo: calibra el proyecto, genera la skill de ejecución (cdk) con TDD/SDD, y mantiene memoria de equipo (Engram) con histórico aislado.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ozali init` and accepts setup, or supplies `--yes` without `--dry-run`.
Impact
A user-invoked setup can expand an AI agent's configured capabilities and install an externally fetched executable.
Mechanism
Explicit CLI agent configuration and unverified Engram binary bootstrap.
Rationale
Source inspection shows an explicit, disclosed AI-agent bootstrap rather than malicious npm lifecycle behavior. Warn because it can configure broad agent permissions and install an unverified external binary when explicitly invoked.
Evidence
package.jsoncli/bin/ozali.mjscli/lib/commands.mjscli/lib/util.mjstemplates/ozali-jarvis-plugin.js~/.local/bin/engram~/.claude.json.claude/settings.json.claude/skills/ozali.claude/skills/ozali-commit.claude/agents/ozali-jarvis.md.opencode/plugins/ozali-jarvis.jsopencode.jsonCLAUDE.mdAGENTS.md.ozali/config.json
Network endpoints2
api.github.com/repos/Gentleman-Programming/engram/releases?per_page=30github.com/Gentleman-Programming/engram/releases

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `cli/lib/commands.mjs` downloads and installs an `engram` release into `~/.local/bin/engram` during explicit `ozali init`.
  • `cli/lib/commands.mjs` invokes `engram setup claude-code` or `engram setup opencode` after installation.
  • Explicit `init` writes agent configuration, including `.claude/settings.json`, `opencode.json`, and `~/.claude.json` workspace trust.
  • The bundled permission profile allows agent command/web-fetch capabilities; downloaded release selection has no checksum/signature verification.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • `cli/bin/ozali.mjs` runs only when the user invokes the `ozali` executable.
  • Agent setup is disclosed and gated by `init` options/prompts; `--dry-run` avoids writes.
  • No credential harvesting, obfuscation, hidden payload, import-time execution, or package-owned exfiltration code was found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 98.0 KB of source, external domains: 127.0.0.1, api.github.com, brew.sh, github.com, go.dev, opencode.ai

Source & flagged code

2 flagged · loading source
cli/lib/commands.mjsView file
21function skillTarget(cwd, scope) { L22: const base = scope === "global" ? path.join(process.env.HOME || "", ".claude") : path.join(cwd, ".claude"); L23: return path.join(base, "skills", "ozali"); ... L254: function installEngram() { L255: const plat = process.platform; L256: ... L281: warn("No se encontró Homebrew ni Go y falló la descarga del binario. Opciones:"); L282: info(" a) Homebrew " + c.dim("(recomendado)") + ": " + c.cyan("https://brew.sh") + " → " + c.bold("brew install gentleman-programming/tap/engram")); L283: info(" b) Binario precompilado: " + c.cyan("https://github.com/Gentleman-Programming/engram/releases")); ... L327: let releases; L328: try { releases = JSON.parse(raw); } catch { return null; } L329: return pickEngramAsset(releases, platform, arch);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

cli/lib/commands.mjsView on unpkg · L21
cli/lib/util.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = ozali@0.7.0 matchedIdentity = npm:b3phbGk:0.7.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/lib/util.mjsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltacli/lib/util.mjs
MediumDynamic Require
MediumEnvironment Vars
MediumInstall Persistencecli/lib/commands.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings