AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The risky primitives are explicit CLI operations for installing a Claude plugin and running a local harness portal, not npm install-time behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `harness-creator` or `harness-portal`.
Impact
Can add a Claude plugin marketplace source or run local project inspection tooling when explicitly invoked by the user.
Mechanism
User-invoked Claude plugin registration and local project portal
Rationale
Static inspection shows no lifecycle hook or unconsented install-time modification of foreign/broad AI-agent control surfaces; agent-facing actions are explicit CLI/plugin workflow steps. Network, shell, git, gh, and npx use are package-aligned local portal/installer functionality with no evidence of exfiltration or persistence.
Evidence
package.jsonscripts/install.mjsscripts/lib/install-utils.mjsscripts/portal.mjsscripts/lib/portal-c4.mjsscripts/lib/portal-server.mjsscripts/lib/portal-github.mjsscripts/lib/portal-collect.mjstemplates/portal/index.html~/.claude/plugins/cachedocs/architecturefeature_list.jsonfeature-list.jsonprogress.mddocs/superpowers/specsdocs/superpowers/plansdocs/adr.claude/rules.claude/skills.claude/workflows.claude/hooks/precommit-check.sh.claude/settings.jsonlefthook.yml
Network endpoints3
unpkg.com/vis-network@9.1.9/standalone/umd/vis-network.min.js127.0.0.1:<port>claude.ai/code
Decision evidence
public snapshotAI called this Clean at 89.0% confidence as Benign with low false-positive risk.
Evidence for block
- scripts/install.mjs is a user-invoked bin that runs `claude plugin marketplace add --scope ...` for a Claude plugin marketplace entry.
- scripts/lib/portal-c4.mjs user-invoked portal spawns `npx -y likec4 serve` under the target project.
- templates/portal/index.html loads vis-network from https://unpkg.com and uses local `/api/*`/SSE endpoints.
Evidence against
- package.json has no npm lifecycle hooks, only bin entrypoints and a test script.
- scripts/install.mjs prompts for user/project scope and exits if required Claude/superpowers prerequisites are absent; no install-time mutation occurs.
- scripts/lib/portal-c4.mjs binds/probes only 127.0.0.1 and deletes common AI API key env vars before spawning likec4.
- scripts/lib/portal-server.mjs exposes a local read-only portal API except graph ledger sync tied to explicit `harness-portal` execution.
- scripts/lib/portal-github.mjs uses local `gh` CLI reads for PR/run/issue metadata and does not post data externally.
- No credential harvesting, remote code fetch beyond explicit npx/Claude tooling, persistence, destructive actions, or lifecycle AI-agent control hijack found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcescripts/lib/portal-sources.mjsView file
2import path from 'node:path';
L3: import { execFileSync } from 'node:child_process';
L4: import { readFile } from 'node:fs/promises';
High
Child Process
Package source references child process execution.
scripts/lib/portal-sources.mjsView on unpkg · L2scripts/lib/portal-c4.mjsView file
1// scripts/lib/portal-c4.mjs — lazy `npx likec4 serve` lifecycle + liveness probe + group kill.
L2: import { spawn as nodeSpawn } from 'node:child_process';
L3: import { request } from 'node:http';
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
scripts/lib/portal-c4.mjsView on unpkg · L1Findings
3 High2 Medium4 Low
HighChild Processscripts/lib/portal-sources.mjs
HighShell
HighRuntime Package Installscripts/lib/portal-c4.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License