registry  /  cowork-harness  /  0.30.0

cowork-harness@0.30.0

Scriptable, CI-friendly harness for Claude Cowork's runtime contract for testing skills across scenarios — same agent, mounts, egress allowlist, permission protocol, and sandbox limitations.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The only install-adjacent mutation is a prepare-time repository-local Git hooks-path setting. Runtime process, Docker, network, and shell features are tied to explicit harness commands and supplied configuration; no confirmed malicious payload or exfiltration chain was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Git/local install invoking `prepare`, or explicit `sync`, live-run, and `--decider-cmd` usage.
Impact
Can alter local Git hook resolution during prepare; explicit commands can launch Docker/helpers and permitted test egress.
Mechanism
Prepare-time Git config mutation plus user-invoked harness orchestration.
Rationale
No concrete malicious behavior was established, but the prepare lifecycle performs a repository configuration mutation. Per policy, that install-adjacent VCS hook setup warrants a non-blocking warning.
Evidence
package.jsondist/sync/cowork-sync.jsdist/egress/sidecar.jsdist/egress/proxy.jsdist/decide/external-channel.jsdist/decide/decider.jsdist/cli.js.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py.githooks
Network endpoints1
downloads.claude.ai/claude-code-releases/${version}/manifest.json

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • `package.json` prepare runs `git config core.hooksPath .githooks || true`.
  • `dist/sync/cowork-sync.js` invokes `npx --yes @electron/asar` during explicit `sync`.
  • `dist/decide/external-channel.js` runs a user-supplied `--decider-cmd` through a shell.
  • `dist/egress/sidecar.js` creates Docker networks and an egress proxy for live runs.
Evidence against
  • No preinstall, install, or postinstall lifecycle hook is present.
  • No bundled native executable or opaque payload was found; vendor `scanner.py` is readable YAML source.
  • `dist/egress/proxy.js` enforces a supplied host allowlist and logs allow/deny decisions.
  • `dist/cli.js` fetches `downloads.claude.ai` only in explicit `sync` checksum lookup; no credential-exfiltration path was found.
  • `dist/decide/decider.js` dynamic Function evaluates author-supplied scenario predicates, not downloaded code.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 86 file(s), 1.71 MB of source, external domains: api.anthropic.com, cloud-images.ubuntu.com, deb.nodesource.com, downloads.claude.ai, example.com, nodejs.org, raw.githubusercontent.com

Source & flagged code

7 flagged · loading source
dist/decide/external-channel.jsView file
4import readline from "node:readline"; L5: import { spawn } from "node:child_process"; L6: /** A sequential line reader over a stream that buffers across chunk boundaries (readline does this). */
High
Child Process

Package source references child process execution.

dist/decide/external-channel.jsView on unpkg · L4
216export function spawnChannel(cmd) { L217: // `shell: true` is INTENTIONAL, not an injection surface. `--decider-cmd` is OPERATOR-supplied — L218: // the same trust class as the harness process itself (whoever runs the harness wrote this string). Shell
High
Shell

Package source references shell execution.

dist/decide/external-channel.jsView on unpkg · L216
dist/decide/decider.jsView file
987try { L988: fn = new Function(...params, `"use strict"; return (${expr});`); L989: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/decide/decider.jsView on unpkg · L987
dist/sync/cowork-sync.jsView file
219try { L220: execFileSync("npx", ["--yes", "@electron/asar", "extract", ASAR, tmp], { stdio: "ignore" }); L221: const bundleFiles = readMainBundleFiles(tmp);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/sync/cowork-sync.jsView on unpkg · L219
python/conftest.pyView file
path = python/conftest.py kind = build_helper sizeBytes = 544 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/conftest.pyView on unpkg
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView file
path = .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py kind = payload_in_excluded_dir sizeBytes = 51279 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkg
dist/egress/sidecar.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cowork-harness@0.28.0 matchedIdentity = npm:Y293b3JrLWhhcm5lc3M:0.28.0 similarity = 0.570 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/egress/sidecar.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/egress/sidecar.js
HighChild Processdist/decide/external-channel.js
HighShelldist/decide/external-channel.js
HighRuntime Package Installdist/sync/cowork-sync.js
HighPayload In Excluded Dir.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpython/conftest.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/decide/decider.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings