registry  /  @realpkuasule/harness-automation  /  2.0.0

@realpkuasule/harness-automation@2.0.0

Repository-native policy compiler for consistent AI coding sessions

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is confirmed. The explicit `harness-automation install` command registers a first-party MCP/skill integration across local AI-agent directories; MCP and CLI workflows can also write approved project configuration files.

Static reason
No blocking static signals were detected.
Trigger
User runs `harness-automation install` or invokes its CLI/MCP generation workflows.
Impact
Adds a package-owned MCP entry and skill files to local agent configuration; project workflows can modify selected repository files.
Mechanism
Explicit first-party AI-agent extension registration and project configuration generation.
Rationale
Source inspection found an explicit first-party agent-extension installer, not concrete malicious behavior. Warn rather than block because it mutates local AI-agent configuration only after a user invokes the package CLI.
Evidence
package.jsondist/cli.jsdist/index.jsdist/v2/fs.jsdist/v2/service.jsdist/skill/scripts/run.mjs~/.claude.json~/.claude/skills/harness-automation~/.codex/skills/harness-automation~/.agents/skills/harness-automation<projectDir>/.harness/**<projectDir>/CLAUDE.md<projectDir>/AGENTS.md

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` explicit `install` registers an MCP server in `~/.claude.json`.
  • `dist/cli.js` copies its bundled skill into `~/.claude`, `~/.codex`, and `~/.agents`.
  • `dist/skill/scripts/run.mjs` launches the package CLI via `spawnSync`.
  • `dist/index.js` MCP tools can write project agent/config files when invoked.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • Agent configuration writes occur only through explicit CLI/MCP actions, not package installation.
  • `dist/v2/fs.js` rejects absolute, parent-traversal, and symlinked project paths.
  • No credential harvesting, payload download, dynamic evaluation, or native loading was found.
  • Network-capable paths are explicit `npm` installation or `gh` research commands in `dist/cli.js` and `dist/v2/service.js`.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 346 KB of source, external domains: git.io, github.com, gitlab.com, gitlab.example.com, nodejs.org, www.typescriptlang.org

Source & flagged code

1 flagged · loading source
dist/scripts/task.pyView file
path = dist/scripts/task.py kind = build_helper sizeBytes = 11009 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/scripts/task.pyView on unpkg

Findings

3 Medium5 Low
MediumEnvironment Vars
MediumShips Build Helperdist/scripts/task.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings