registry  /  @lannguyensi/harness  /  0.41.0

@lannguyensi/harness@0.41.0

Declarative control plane for agent harnesses — one YAML for grounding, tools, memory, and hooks.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI setup can modify the operator's agent configuration and install declared dependencies. No unconsented install-time mutation or confirmed exfiltration chain was found.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Operator runs `harness init --interactive` or explicit runtime/apply commands and accepts setup choices.
Impact
Can alter `~/.codex/config.toml` and harness/Claude state; optional setup can globally install selected packages.
Mechanism
User-mediated agent hook/config installation and subprocess-based tooling.
Rationale
No concrete malicious behavior was established: installation has no npm install hook and the reviewed mutations occur through explicit CLI flows. Warn because this package intentionally configures AI-agent control surfaces and can execute operator-configured or selected external commands.
Evidence
package.jsondist/cli/main.jsdist/cli/init/interactive.jsdist/cli/init/dependencies.jsdist/cli/init/index.jsdist/cli/apply/install-codex-config.jsdist/cli/pack/hook-runtime-reality.js~/.codex/config.toml~/.codex/config.toml.harness-backup-<timestamp>~/.harness/harness.yaml~/.claude/settings.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `harness init --interactive` can wire Claude/Codex runtime configuration.
  • Codex installation appends a marked harness-managed block and writes a backup.
  • Interactive setup can run `npm i -g` for selected missing dependencies.
  • The runtime-reality hook runs an operator-supplied `RUNTIME_REALITY_PROBE_CMD` via `sh -c`.
Evidence against
  • `package.json` has only `prepublishOnly`; no install lifecycle hook.
  • `dist/index.js` only re-exports modules; no import-time action found.
  • Runtime wiring follows interactive prompts and selected runtimes.
  • No direct HTTP/network transport import or hidden fetch-based exfiltration found.
  • Agent-tasks login/status invokes its named bridge only after wizard flow.
  • No eval, VM loading, native loading, or encoded payload execution found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 175 file(s), 1.35 MB of source, external domains: agent-tasks.opentriologue.ai, github.com

Source & flagged code

1 flagged · loading source
dist/cli/init/interactive.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lannguyensi/harness@0.40.0 matchedIdentity = npm:QGxhbm5ndXllbnNpL2hhcm5lc3M:0.40.0 similarity = 0.725 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/init/interactive.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/cli/init/interactive.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings