registry  /  cowork-flow  /  0.0.31

cowork-flow@0.0.31

CLI for installing and maintaining cowork-flow collaboration templates.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack surface is established. The package can install its own ZCode extension and copy project-local AI-agent hooks only after explicit CLI commands.

Static reason
No blocking static signals were detected.
Trigger
User runs `cowork-flow init` or `cowork-flow install-zcode-plugin`; configured hooks then run during supported AI-agent events.
Impact
Local project workflow context injection and ZCode plugin-cache/marketplace modification.
Mechanism
Explicit first-party AI-agent extension and project hook setup.
Rationale
No concrete malicious behavior was found, but explicit installation of a first-party AI-agent extension and event hooks is a real control-surface modification that warrants a warning under the stated policy.
Evidence
package.jsonsrc/commands/init.jssrc/commands/install-zcode-plugin.jssrc/lib/copy-template.jstemplate/.codex/hooks.jsontemplate/.claude/settings.jsontemplate/.zcode/hooks/hooks.jsontemplate/.codex/hooks/inject-workflow-state.pytemplate/.claude/hooks/inject-workflow-state.pytemplate/.zcode/hooks/inject-context.jstemplate/.cowork-flow/runtemplate/.cowork-flow/scripts/run.py

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/commands/install-zcode-plugin.js` explicitly installs a ZCode plugin into the user cache and updates its marketplace manifest.
  • `src/commands/init.js` copies platform-specific template files; templates include Codex and Claude prompt/session hook configurations.
  • `template/.codex/hooks.json` and `template/.claude/settings.json` execute local workflow-state scripts on AI-agent hook events.
  • `template/.zcode/hooks/hooks.json` runs the package-owned ZCode context hook on session and prompt events.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • All observed setup is behind explicit `cowork-flow init` or `install-zcode-plugin` user commands.
  • Reviewed hook sources operate on local project workflow files and emit local context; no outbound network client was found.
  • Process launches are local Python, npm update, or Git-oriented workflow helpers; no remote payload execution was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 36.1 KB of source

Source & flagged code

2 flagged · loading source
template/.cowork-flow/scripts/run.pyView file
path = template/.cowork-flow/scripts/run.py kind = payload_in_excluded_dir sizeBytes = 4021 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

template/.cowork-flow/scripts/run.pyView on unpkg
path = template/.cowork-flow/scripts/run.py kind = build_helper sizeBytes = 4021 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

template/.cowork-flow/scripts/run.pyView on unpkg

Findings

1 High3 Medium2 Low
HighPayload In Excluded Dirtemplate/.cowork-flow/scripts/run.py
MediumEnvironment Vars
MediumShips Build Helpertemplate/.cowork-flow/scripts/run.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem