registry  /  cowork-harness  /  0.22.0

cowork-harness@0.22.0

Scriptable, CI-friendly harness for Claude Cowork's runtime contract for testing skills across scenarios — same agent, mounts, egress allowlist, permission protocol, and sandbox limitations.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are aligned with a Claude Cowork test harness and are activated by explicit CLI commands, not package install or import.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs cowork-harness CLI commands such as run, skill, sync, hostloop, or decider options.
Impact
Can run local agent/container workflows and write harness run artifacts when invoked; no unconsented persistence, exfiltration, or lifecycle AI-agent control-surface mutation found.
Mechanism
User-invoked agent harness orchestration, local staging, and optional helper/container spawns.
Rationale
Static inspection found a package-aligned CLI harness with explicit user-invoked spawning, staging, network allowlist, and sync functionality, but no install-time/import-time execution, credential exfiltration, persistence, or unconsented writes to foreign AI-agent control surfaces. Scanner hints map to documented harness behavior and bundled helper/vendor files rather than concrete malicious behavior.
Evidence
package.jsondist/cli.jsdist/sync/cowork-sync.jsdist/runtime/hostloop.jsdist/runtime/hostloop-stage.jsdist/runtime/stage.jsdist/session.jsdist/decide/external-channel.js.claude/skills/cowork-harness/SKILL.md
Network endpoints6
api.claude.aimcp-proxy.anthropic.compreview.claude.aidownloads.claude.aiassets.claude.aipivot.claude.ai

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepublishOnly only runs npm run ci before publishing.
    • dist/cli.js is a user-invoked CLI entrypoint; no import-time execution beyond command parsing/imports observed.
    • dist/sync/cowork-sync.js npx @electron/asar use is limited to explicit sync maintenance command on local Claude Desktop app.asar.
    • dist/runtime/hostloop.js and dist/decide/external-channel.js spawn docker/agent/helper processes only for documented harness runs or operator-supplied decider commands.
    • dist/session.js/stage files write settings, skills, mcp.json into harness-managed run/config dirs and reject clobbering existing user config dirs.
    • .claude/skills/cowork-harness is bundled documentation/helper skill content, not lifecycle-installed into a foreign agent surface.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 74 file(s), 1.16 MB of source, external domains: api.anthropic.com, cloud-images.ubuntu.com, deb.nodesource.com, downloads.claude.ai, example.com, nodejs.org, raw.githubusercontent.com

    Source & flagged code

    7 flagged · loading source
    dist/decide/external-channel.jsView file
    4import readline from "node:readline"; L5: import { spawn } from "node:child_process"; L6: /** A sequential line reader over a stream that buffers across chunk boundaries (readline does this). */
    High
    Child Process

    Package source references child process execution.

    dist/decide/external-channel.jsView on unpkg · L4
    214export function spawnChannel(cmd) { L215: // `shell: true` is INTENTIONAL, not an injection surface. `--decider-cmd` is OPERATOR-supplied — L216: // the same trust class as the harness process itself (whoever runs the harness wrote this string). Shell
    High
    Shell

    Package source references shell execution.

    dist/decide/external-channel.jsView on unpkg · L214
    dist/decide/decider.jsView file
    987try { L988: fn = new Function(...params, `"use strict"; return (${expr});`); L989: }
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/decide/decider.jsView on unpkg · L987
    dist/sync/cowork-sync.jsView file
    141try { L142: execFileSync("npx", ["--yes", "@electron/asar", "extract", ASAR, tmp], { stdio: "ignore" }); L143: const bundle = readIf(join(tmp, ".vite/build/index.js")) ?? "";
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/sync/cowork-sync.jsView on unpkg · L141
    python/conftest.pyView file
    path = python/conftest.py kind = build_helper sizeBytes = 544 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    python/conftest.pyView on unpkg
    .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView file
    path = .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py kind = payload_in_excluded_dir sizeBytes = 51279 magicHex = [redacted]
    High
    Payload In Excluded Dir

    Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

    .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkg
    dist/runtime/hostloop.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = cowork-harness@0.20.0 matchedIdentity = npm:Y293b3JrLWhhcm5lc3M:0.20.0 similarity = 0.651 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/runtime/hostloop.jsView on unpkg

    Findings

    1 Critical4 High4 Medium6 Low
    CriticalPrevious Version Dangerous Deltadist/runtime/hostloop.js
    HighChild Processdist/decide/external-channel.js
    HighShelldist/decide/external-channel.js
    HighRuntime Package Installdist/sync/cowork-sync.js
    HighPayload In Excluded Dir.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helperpython/conftest.py
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/decide/decider.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings