registry  /  ai-harness-doctor  /  0.3.0

ai-harness-doctor@0.3.0

AI Harness Doctor — audit, consolidate & guard your repo's AI agent configs (AGENTS.md, CLAUDE.md, .cursorrules, ...) with a checkup→treat→follow-up→efficacy pipeline

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit AI-agent harness management CLI with guarded, user-invoked writes to agent config and CI hook surfaces. Risk is lifecycle/control-surface mutation by design, but no unconsented install-time attack chain was found.

Static reason
No blocking static signals were detected.
Trigger
User runs ai-harness-doctor install, guard --apply, eval, mcp, or pr_review.py --post workflows
Impact
May write managed agent prompts/skills, CI files, hooks, stubs, reports, or execute user-configured eval commands; no confirmed malicious exfiltration or persistence.
Mechanism
explicit agent extension setup and guard/eval helpers
Rationale
Static inspection shows a legitimate CLI for auditing and installing first-party AI harness files, with explicit commands and guarded/dry-run behavior for sensitive writes. Because it intentionally sets up agent extensions and guard hooks, warn-level lifecycle risk is appropriate, but there is no evidence of malicious install-time mutation, exfiltration, or remote payload execution.
Evidence
package.jsonbin/cli.jsbin/mcp-server.jsscripts/eval_run.pyscripts/pr_review.pyscripts/canonicalize.pyscripts/check_drift.pyscripts/scan.pyassets/guard/harness-drift.ymlSKILL.md~/.ai-harness-doctor/manifest.json~/.claude/skills/ai-harness-doctor~/.claude/commands/*.md~/.codex/prompts/*.md~/.gemini/commands/harness/*.toml.cursor/commands/*.md.git/hooks/pre-commit.github/workflows/harness-drift.yml.github/workflows/harness-checkup.yml.gitlab/harness-ci.yml.harness-ci/harness-guard.sh.codebase/pipelines/harness-guard.yamlAGENTS.mdtool stub files such as CLAUDE.md, .cursorrules, GEMINI.md
Network endpoints3
registry.npmjs.org/ai-harness-doctor/latestapi.github.com/repos/{repo}/pulls/{pr_number}/reviewsapi.github.com/repos/{repo}/issues/{pr_number}/comments

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • bin/cli.js explicit install writes Claude/Codex/Cursor/Gemini adapter files and package payload into agent config locations
  • bin/cli.js guard --apply can create/overwrite managed CI/pre-commit guard files after dry-run preview
  • scripts/eval_run.py executes user-supplied runner/check/judge shell commands during explicit eval workflows
  • scripts/pr_review.py can post to GitHub API only with --post and GITHUB_TOKEN
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • bin/cli.js only runs main when executed directly; import exports helpers without side effects
  • Agent config mutations are explicit CLI commands, not install-time broad control-surface hijacking
  • Guard writes are dry-run by default and avoid clobbering unmarked user CI/hook files
  • Update check is package-aligned to npm registry, TTY/throttle gated, and opt-out via env
  • No credential harvesting, stealth persistence, destructive install behavior, or remote payload execution found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 42.6 KB of source, external domains: registry.npmjs.org

Source & flagged code

1 flagged · loading source
scripts/eval_run.pyView file
path = scripts/eval_run.py kind = build_helper sizeBytes = 25503 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/eval_run.pyView on unpkg

Findings

4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/eval_run.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings