AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `cowork-flow init` or `cowork-flow install-zcode-plugin`.
Impact
Installed project hooks/plugins can influence future AI-agent workflow context and run local workflow scripts when the host permits them.
Mechanism
Explicit installation of AI-agent workflow templates, hooks, and local plugin assets.
Rationale
Flag as warn because explicit user commands install AI-agent hooks/plugins that can affect future host behavior. The behavior is package-aligned and user-invoked, so there is no basis for a publish block.
Evidence
package.jsonsrc/commands/init.jssrc/commands/install-zcode-plugin.jssrc/lib/copy-template.jstemplate/.codex/hooks.jsontemplate/.cowork-flow/scripts/run.pybin/cowork-flow.jssrc/lib/plan-applier.jstemplate/.codex/hooks/inject-workflow-state.pytemplate/.opencode/plugins/cowork-flow.js
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/commands/init.js` explicitly installs selected Codex/OpenCode/Claude template assets into a target project.
- `template/.codex/hooks.json` registers a Codex `UserPromptSubmit` command hook.
- `src/commands/install-zcode-plugin.js` explicitly copies plugin assets into `ZCODE_HOME`/`~/.zcode` and updates its marketplace cache.
- `template/.cowork-flow/scripts/run.py` dispatches bundled Python commands, including user-requested subprocess execution.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- No network URLs, HTTP clients, or credential-exfiltration code were found in executable source.
- The template hook honors disable environment variables and is project-scoped after explicit setup.
- Subprocess use is confined to the installed workflow dispatcher and Git/task operations, not package installation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
Source & flagged code
2 flagged · loading sourcetemplate/.cowork-flow/scripts/run.pyView file
•path = template/.cowork-flow/scripts/run.py
kind = payload_in_excluded_dir
sizeBytes = 4869
magicHex = [redacted]
High
Payload In Excluded Dir
Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
template/.cowork-flow/scripts/run.pyView on unpkg•path = template/.cowork-flow/scripts/run.py
kind = build_helper
sizeBytes = 4869
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
template/.cowork-flow/scripts/run.pyView on unpkgFindings
1 High3 Medium2 Low
HighPayload In Excluded Dirtemplate/.cowork-flow/scripts/run.py
MediumEnvironment Vars
MediumShips Build Helpertemplate/.cowork-flow/scripts/run.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem