AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack surface is established. The package can install its own ZCode extension and copy project-local AI-agent hooks only after explicit CLI commands.
Static reason
No blocking static signals were detected.
Trigger
User runs `cowork-flow init` or `cowork-flow install-zcode-plugin`; configured hooks then run during supported AI-agent events.
Impact
Local project workflow context injection and ZCode plugin-cache/marketplace modification.
Mechanism
Explicit first-party AI-agent extension and project hook setup.
Rationale
No concrete malicious behavior was found, but explicit installation of a first-party AI-agent extension and event hooks is a real control-surface modification that warrants a warning under the stated policy.
Evidence
package.jsonsrc/commands/init.jssrc/commands/install-zcode-plugin.jssrc/lib/copy-template.jstemplate/.codex/hooks.jsontemplate/.claude/settings.jsontemplate/.zcode/hooks/hooks.jsontemplate/.codex/hooks/inject-workflow-state.pytemplate/.claude/hooks/inject-workflow-state.pytemplate/.zcode/hooks/inject-context.jstemplate/.cowork-flow/runtemplate/.cowork-flow/scripts/run.py
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/commands/install-zcode-plugin.js` explicitly installs a ZCode plugin into the user cache and updates its marketplace manifest.
- `src/commands/init.js` copies platform-specific template files; templates include Codex and Claude prompt/session hook configurations.
- `template/.codex/hooks.json` and `template/.claude/settings.json` execute local workflow-state scripts on AI-agent hook events.
- `template/.zcode/hooks/hooks.json` runs the package-owned ZCode context hook on session and prompt events.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- All observed setup is behind explicit `cowork-flow init` or `install-zcode-plugin` user commands.
- Reviewed hook sources operate on local project workflow files and emit local context; no outbound network client was found.
- Process launches are local Python, npm update, or Git-oriented workflow helpers; no remote payload execution was found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
Source & flagged code
2 flagged · loading sourcetemplate/.cowork-flow/scripts/run.pyView file
•path = template/.cowork-flow/scripts/run.py
kind = payload_in_excluded_dir
sizeBytes = 4021
magicHex = [redacted]
High
Payload In Excluded Dir
Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
template/.cowork-flow/scripts/run.pyView on unpkg•path = template/.cowork-flow/scripts/run.py
kind = build_helper
sizeBytes = 4021
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
template/.cowork-flow/scripts/run.pyView on unpkgFindings
1 High3 Medium2 Low
HighPayload In Excluded Dirtemplate/.cowork-flow/scripts/run.py
MediumEnvironment Vars
MediumShips Build Helpertemplate/.cowork-flow/scripts/run.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem