AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit AI-agent harness management CLI with guarded, user-invoked writes to agent config and CI hook surfaces. Risk is lifecycle/control-surface mutation by design, but no unconsented install-time attack chain was found.
Static reason
No blocking static signals were detected.
Trigger
User runs ai-harness-doctor install, guard --apply, eval, mcp, or pr_review.py --post workflows
Impact
May write managed agent prompts/skills, CI files, hooks, stubs, reports, or execute user-configured eval commands; no confirmed malicious exfiltration or persistence.
Mechanism
explicit agent extension setup and guard/eval helpers
Rationale
Static inspection shows a legitimate CLI for auditing and installing first-party AI harness files, with explicit commands and guarded/dry-run behavior for sensitive writes. Because it intentionally sets up agent extensions and guard hooks, warn-level lifecycle risk is appropriate, but there is no evidence of malicious install-time mutation, exfiltration, or remote payload execution.
Evidence
package.jsonbin/cli.jsbin/mcp-server.jsscripts/eval_run.pyscripts/pr_review.pyscripts/canonicalize.pyscripts/check_drift.pyscripts/scan.pyassets/guard/harness-drift.ymlSKILL.md~/.ai-harness-doctor/manifest.json~/.claude/skills/ai-harness-doctor~/.claude/commands/*.md~/.codex/prompts/*.md~/.gemini/commands/harness/*.toml.cursor/commands/*.md.git/hooks/pre-commit.github/workflows/harness-drift.yml.github/workflows/harness-checkup.yml.gitlab/harness-ci.yml.harness-ci/harness-guard.sh.codebase/pipelines/harness-guard.yamlAGENTS.mdtool stub files such as CLAUDE.md, .cursorrules, GEMINI.md
Network endpoints3
registry.npmjs.org/ai-harness-doctor/latestapi.github.com/repos/{repo}/pulls/{pr_number}/reviewsapi.github.com/repos/{repo}/issues/{pr_number}/comments
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- bin/cli.js explicit install writes Claude/Codex/Cursor/Gemini adapter files and package payload into agent config locations
- bin/cli.js guard --apply can create/overwrite managed CI/pre-commit guard files after dry-run preview
- scripts/eval_run.py executes user-supplied runner/check/judge shell commands during explicit eval workflows
- scripts/pr_review.py can post to GitHub API only with --post and GITHUB_TOKEN
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts
- bin/cli.js only runs main when executed directly; import exports helpers without side effects
- Agent config mutations are explicit CLI commands, not install-time broad control-surface hijacking
- Guard writes are dry-run by default and avoid clobbering unmarked user CI/hook files
- Update check is package-aligned to npm registry, TTY/throttle gated, and opt-out via env
- No credential harvesting, stealth persistence, destructive install behavior, or remote payload execution found
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcescripts/eval_run.pyView file
•path = scripts/eval_run.py
kind = build_helper
sizeBytes = 25503
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/eval_run.pyView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/eval_run.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings