AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Risky primitives are aligned with a Claude Cowork test harness and are activated by explicit CLI commands, not package install or import.
Decision evidence
public snapshot- package.json has no install/postinstall hook; prepublishOnly only runs npm run ci before publishing.
- dist/cli.js is a user-invoked CLI entrypoint; no import-time execution beyond command parsing/imports observed.
- dist/sync/cowork-sync.js npx @electron/asar use is limited to explicit sync maintenance command on local Claude Desktop app.asar.
- dist/runtime/hostloop.js and dist/decide/external-channel.js spawn docker/agent/helper processes only for documented harness runs or operator-supplied decider commands.
- dist/session.js/stage files write settings, skills, mcp.json into harness-managed run/config dirs and reject clobbering existing user config dirs.
- .claude/skills/cowork-harness is bundled documentation/helper skill content, not lifecycle-installed into a foreign agent surface.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/decide/external-channel.jsView on unpkg · L4Package source references a known benign dynamic code generation pattern.
dist/decide/decider.jsView on unpkg · L987Package source invokes a package manager install command at runtime.
dist/sync/cowork-sync.jsView on unpkg · L141Package ships non-JavaScript build or shell helper files.
python/conftest.pyView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/runtime/hostloop.jsView on unpkg