AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an Omega Harness CLI/server bundle with local web UI, local API/gRPC, provider configuration, and user-invoked skill generation.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs harness/omega-harness commands such as ui, task run, agent run, or skill generate
Impact
Package-aligned local server/task management; no source-grounded unconsented compromise identified
Mechanism
local harness CLI, localhost API calls, optional provider API calls, user-invoked file generation
Rationale
Static inspection shows risky primitives are tied to explicit CLI/server features: starting a local harness server, localhost polling, configured provider calls, and user-invoked skill adapter generation. I found no install-time execution, credential harvesting, external exfiltration, persistence, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/cli.jsdist/server/src/lib/run-task.tsdist/server/src/routes/tasks.tsdist/server/src/routes/providers.tsdist/server/package.jsondist/server/dist/index.jspackages/skills/src/generated/<ClassName>.tspackages/skills/src/generated/index.tsharness-skills/generated/<ClassName>.tsharness-skills/generated/index.ts
Network endpoints3
localhost:4000localhost:50051localhost:<PORT>
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/cli.js has user-invoked child_process spawn for bundled server or pnpm dev fallback in ui command
- dist/cli.js skill generate writes adapter files under OMEGA_HARNESS_ROOT or harness-skills
- dist/server routes can store provider apiKey and send prompts to configured providers when tasks are run
Evidence against
- package.json has only prepublishOnly build hook, no install/import-time lifecycle execution
- dist/cli.js network calls target localhost API/gRPC by default or user-supplied --api/HARNESS_* values
- spawned server path is package-local dist/server/dist/index.js or development pnpm fallback, triggered by harness ui
- No credential harvesting, external exfiltration endpoint, destructive install behavior, or persistence found
- Agent execution is user-triggered via task tags/routes and @omega/agent bundled package appears missing dist implementation
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
4 flagged · loading sourcedist/cli.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @castlemilk/omega@0.1.9
matchedIdentity = npm:QGNhc3RsZW1pbGsvb21lZ2E:0.1.9
similarity = 0.556
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/cli.jsView on unpkg428import { Command as Command4 } from "commander";
L429: import { spawn } from "child_process";
L430: import { existsSync as existsSync2 } from "fs";
High
537stdio: "inherit",
L538: shell: true,
L539: env
High
527const grpcPort = await findAvailablePort(DEFAULT_GRPC_PORT, MAX_GRPC_PORT);
L528: apiUrl = `http://localhost:${port.toString()}`;
L529: process.env.HARNESS_API_URL = apiUrl;
L530: const env = {
...
L535: };
L536: server = startBundledServer(env) ?? spawn("pnpm", ["--filter", "@omega/server", "dev"], {
L537: stdio: "inherit",
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L527Findings
1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSame File Env Network Executiondist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings