AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack is confirmed. The package is a workflow-data bundle that can be projected into first-party Claude Code agent/skill paths by an external consumer CLI; its local tools can operate on a selected project when invoked.
Static reason
No blocking static signals were detected.
Trigger
An explicit consumer CLI workflow installation or user/agent invocation of bundled scripts.
Impact
Enabled workflows can modify project-local `.harness` data and execute configured project commands; no automatic foreign control-surface mutation or exfiltration is established.
Mechanism
First-party AI-agent skill deployment with project-local automation and MCP tooling.
Rationale
Source inspection found a first-party AI-agent extension payload with project automation capabilities, but no automatic execution or concrete malicious behavior. Warn rather than block because deployment requires an external installer or explicit invocation.
Evidence
package.jsonREADME.mdharness/migrations/0.1.1/general.jsonharness/bundles/general/claude-code/harness-knowledge-ingest/mcp-config.example.jsonharness/bundles/general/claude-code/harness-knowledge-ingest/scripts/harness_knowledge.pyharness/bundles/general/claude-code/scripts/harness_service.py.claude/agents/harness-evaluator.md.claude/skills/harness-knowledge-ingest/scripts/harness_knowledge_mcp.py
Decision evidence
public snapshotAI called this Suspicious at 83.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `harness/migrations/0.1.1/general.json` maps bundled content into `.claude/agents` and `.claude/skills`.
- `harness-knowledge-ingest/mcp-config.example.json` defines a local Python MCP server.
- Bundled knowledge tooling can write project-local indexes and run configured command validators.
- Bundled service manager can start configured project service commands when explicitly invoked.
Evidence against
- `package.json` has no preinstall, install, postinstall, prepare, bin, main, or exports entrypoint.
- The only npm script is `prepack`, so installed package content does not auto-execute.
- No confirmed external network endpoint or credential-exfiltration path was found in inspected executable sources.
- MCP configuration is an example file; source does not auto-register it during installation.
Behavioral surface
CryptoFilesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourceharness/bundles/general/claude-code/harness-knowledge-ingest/scripts/harness_knowledge_mcp.pyView file
•path = harness/bundles/general/claude-code/harness-knowledge-ingest/scripts/harness_knowledge_mcp.py
kind = build_helper
sizeBytes = 11384
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
harness/bundles/general/claude-code/harness-knowledge-ingest/scripts/harness_knowledge_mcp.pyView on unpkgFindings
1 Medium3 Low
MediumShips Build Helperharness/bundles/general/claude-code/harness-knowledge-ingest/scripts/harness_knowledge_mcp.py
LowScripts Present
LowFilesystem
LowHigh Entropy Strings