registry  /  cowork-flow  /  0.0.38

cowork-flow@0.0.38

CLI for installing and maintaining cowork-flow collaboration templates.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `cowork-flow init` or `cowork-flow install-zcode-plugin`.
Impact
Installed project hooks/plugins can influence future AI-agent workflow context and run local workflow scripts when the host permits them.
Mechanism
Explicit installation of AI-agent workflow templates, hooks, and local plugin assets.
Rationale
Flag as warn because explicit user commands install AI-agent hooks/plugins that can affect future host behavior. The behavior is package-aligned and user-invoked, so there is no basis for a publish block.
Evidence
package.jsonsrc/commands/init.jssrc/commands/install-zcode-plugin.jssrc/lib/copy-template.jstemplate/.codex/hooks.jsontemplate/.cowork-flow/scripts/run.pybin/cowork-flow.jssrc/lib/plan-applier.jstemplate/.codex/hooks/inject-workflow-state.pytemplate/.opencode/plugins/cowork-flow.js

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/commands/init.js` explicitly installs selected Codex/OpenCode/Claude template assets into a target project.
  • `template/.codex/hooks.json` registers a Codex `UserPromptSubmit` command hook.
  • `src/commands/install-zcode-plugin.js` explicitly copies plugin assets into `ZCODE_HOME`/`~/.zcode` and updates its marketplace cache.
  • `template/.cowork-flow/scripts/run.py` dispatches bundled Python commands, including user-requested subprocess execution.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • No network URLs, HTTP clients, or credential-exfiltration code were found in executable source.
  • The template hook honors disable environment variables and is project-scoped after explicit setup.
  • Subprocess use is confined to the installed workflow dispatcher and Git/task operations, not package installation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 66.6 KB of source

Source & flagged code

2 flagged · loading source
template/.cowork-flow/scripts/run.pyView file
path = template/.cowork-flow/scripts/run.py kind = payload_in_excluded_dir sizeBytes = 4869 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

template/.cowork-flow/scripts/run.pyView on unpkg
path = template/.cowork-flow/scripts/run.py kind = build_helper sizeBytes = 4869 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

template/.cowork-flow/scripts/run.pyView on unpkg

Findings

1 High3 Medium2 Low
HighPayload In Excluded Dirtemplate/.cowork-flow/scripts/run.py
MediumEnvironment Vars
MediumShips Build Helpertemplate/.cowork-flow/scripts/run.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem