AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is confirmed. The explicit `harness-automation install` command registers a first-party MCP/skill integration across local AI-agent directories; MCP and CLI workflows can also write approved project configuration files.
Static reason
No blocking static signals were detected.
Trigger
User runs `harness-automation install` or invokes its CLI/MCP generation workflows.
Impact
Adds a package-owned MCP entry and skill files to local agent configuration; project workflows can modify selected repository files.
Mechanism
Explicit first-party AI-agent extension registration and project configuration generation.
Rationale
Source inspection found an explicit first-party agent-extension installer, not concrete malicious behavior. Warn rather than block because it mutates local AI-agent configuration only after a user invokes the package CLI.
Evidence
package.jsondist/cli.jsdist/index.jsdist/v2/fs.jsdist/v2/service.jsdist/skill/scripts/run.mjs~/.claude.json~/.claude/skills/harness-automation~/.codex/skills/harness-automation~/.agents/skills/harness-automation<projectDir>/.harness/**<projectDir>/CLAUDE.md<projectDir>/AGENTS.md
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.js` explicit `install` registers an MCP server in `~/.claude.json`.
- `dist/cli.js` copies its bundled skill into `~/.claude`, `~/.codex`, and `~/.agents`.
- `dist/skill/scripts/run.mjs` launches the package CLI via `spawnSync`.
- `dist/index.js` MCP tools can write project agent/config files when invoked.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` hook.
- Agent configuration writes occur only through explicit CLI/MCP actions, not package installation.
- `dist/v2/fs.js` rejects absolute, parent-traversal, and symlinked project paths.
- No credential harvesting, payload download, dynamic evaluation, or native loading was found.
- Network-capable paths are explicit `npm` installation or `gh` research commands in `dist/cli.js` and `dist/v2/service.js`.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/scripts/task.pyView file
•path = dist/scripts/task.py
kind = build_helper
sizeBytes = 11009
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
dist/scripts/task.pyView on unpkgFindings
3 Medium5 Low
MediumEnvironment Vars
MediumShips Build Helperdist/scripts/task.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings