registry  /  cdsa-harness  /  0.22.6

cdsa-harness@0.22.6

AI 에이전트의 내부 동작을 단계별로 드러내는 교육용 터미널 하네스. 실시간 스트리밍 + OpenAI/Claude/OpenRouter + MCP + npm 플러그인·크로스포맷 스킬.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is an interactive AI agent harness with user-invoked network, plugin, file-edit, and optional shell capabilities guarded by config and approvals.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs cdsa-harness/cdsa or explicit CLI commands such as add, /update, /setup, or agent tool approvals.
Impact
Can modify workspace files, fetch URLs, call configured LLM APIs, load configured plugins/MCP servers, or run shell only when enabled/approved.
Mechanism
package-aligned interactive agent tooling
Rationale
Static inspection shows a legitimate interactive agent harness; risky primitives are package-aligned, user-invoked, workspace-scoped, and generally approval/config gated. I found no install-time execution, credential harvesting, covert exfiltration, persistence, destructive behavior, or unconsented mutation of foreign AI-agent control surfaces.
Evidence
package.jsonbin/cdsa-harness.jssrc/cli.jssrc/tools.jssrc/plugins.jssrc/loop.jssrc/llm.jssrc/config.jssrc/mcp.jssrc/skills.jsplugins/hwpx_read.mjs~/.cdsa_harness/config.json~/.cdsa_harness/history~/.cdsa_harness/.update_check~/.cdsa_harness/.welcomed~/.cdsa_harness/sessionsworkspace files under configured workspace.cdsa/plugins~/.cdsa_harness/plugins.cdsa/skills~/.cdsa_harness/skills.claude/commands.claude/skills.opencode/command.github/prompts
Network endpoints8
api.openai.com/v1/chat/completionsopenrouter.ai/api/v1/chat/completionsapi.anthropic.com/v1/messageslocalhost:11434registry.npmjs.org/cdsa-harness/latestopenrouter.ai/api/v1/modelsapi.openai.com/v1/modelsapi.anthropic.com/v1/models

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • src/tools.js exposes agent tools for file writes, web fetch, and optional shell execution.
  • src/plugins.js dynamically imports user/workspace/global plugin files and npm plugin packages.
  • src/cli.js has explicit user commands for npm plugin install and self-update.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/cdsa-harness.js only imports and runs src/cli.js on user invocation.
  • src/tools.js confines file operations to configured workspace via _resolve path checks.
  • src/loop.js requires approval for mutating tools and webfetch unless user enables auto approval.
  • src/tools.js shell execution is disabled by default with allow_shell=false.
  • Network calls are package-aligned LLM/update/model endpoints, not covert exfiltration.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 187 KB of source, external domains: api.anthropic.com, api.openai.com, github.com, openrouter.ai, registry.npmjs.org

Source & flagged code

4 flagged · loading source
src/tools.jsView file
2// LLM 은 생각만 하고, 실제 파일 조작/명령 실행은 전부 여기서 이뤄진다. L3: import { execSync } from "node:child_process"; L4: import fs from "node:fs";
High
Child Process

Package source references child process execution.

src/tools.jsView on unpkg · L2
src/plugins.jsView file
40try { L41: const mod = await import(pathToFileURL(full).href); L42: const def = mod.default || mod.plugin || mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/plugins.jsView on unpkg · L40
src/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cdsa-harness@0.22.3 matchedIdentity = npm:Y2RzYS1oYXJuZXNz:0.22.3 similarity = 0.813 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli.jsView on unpkg
680} L681: console.log(c.cyan(`npm install ${pkgs.join(" ")} ...`)); L682: try { L683: execFileSync("npm", ["install", ...pkgs], { stdio: "inherit", cwd: process.cwd() }); L684: console.log(c.green("설치 완료. 다음 실행부터 플러그인이 자동으로 로드됩니다 (/plugins 로 확인)."));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli.jsView on unpkg · L680

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/cli.js
HighChild Processsrc/tools.js
HighShell
HighRuntime Package Installsrc/cli.js
MediumDynamic Requiresrc/plugins.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings