AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI setup can modify the operator's agent configuration and install declared dependencies. No unconsented install-time mutation or confirmed exfiltration chain was found.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Operator runs `harness init --interactive` or explicit runtime/apply commands and accepts setup choices.
Impact
Can alter `~/.codex/config.toml` and harness/Claude state; optional setup can globally install selected packages.
Mechanism
User-mediated agent hook/config installation and subprocess-based tooling.
Rationale
No concrete malicious behavior was established: installation has no npm install hook and the reviewed mutations occur through explicit CLI flows. Warn because this package intentionally configures AI-agent control surfaces and can execute operator-configured or selected external commands.
Evidence
package.jsondist/cli/main.jsdist/cli/init/interactive.jsdist/cli/init/dependencies.jsdist/cli/init/index.jsdist/cli/apply/install-codex-config.jsdist/cli/pack/hook-runtime-reality.js~/.codex/config.toml~/.codex/config.toml.harness-backup-<timestamp>~/.harness/harness.yaml~/.claude/settings.json
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `harness init --interactive` can wire Claude/Codex runtime configuration.
- Codex installation appends a marked harness-managed block and writes a backup.
- Interactive setup can run `npm i -g` for selected missing dependencies.
- The runtime-reality hook runs an operator-supplied `RUNTIME_REALITY_PROBE_CMD` via `sh -c`.
Evidence against
- `package.json` has only `prepublishOnly`; no install lifecycle hook.
- `dist/index.js` only re-exports modules; no import-time action found.
- Runtime wiring follows interactive prompts and selected runtimes.
- No direct HTTP/network transport import or hidden fetch-based exfiltration found.
- Agent-tasks login/status invokes its named bridge only after wizard flow.
- No eval, VM loading, native loading, or encoded payload execution found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/cli/init/interactive.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @lannguyensi/harness@0.40.0
matchedIdentity = npm:QGxhbm5ndXllbnNpL2hhcm5lc3M:0.40.0
similarity = 0.725
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli/init/interactive.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/cli/init/interactive.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings