AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is an explicit Claude/Cowork test harness with user-invoked process, Docker, network, and agent config staging behavior aligned to its documented purpose.
Decision evidence
public snapshot- User-invoked CLI includes child_process/Docker execution for agent harness modes: dist/runtime/hostloop.js, dist/hostloop/workspace-handler.js.
- User-invoked sync extracts local Claude Desktop app.asar via npx @electron/asar: dist/sync/cowork-sync.js.
- Package ships a first-party Claude skill under .claude/skills/cowork-harness, but no lifecycle registration was found.
- package.json has no install/preinstall/postinstall hook; prepublishOnly/prepack are publish-time only.
- bin entrypoint dist/cli.js exposes documented harness commands; no import-time execution path identified.
- Agent config writes are runtime/user-invoked and staged under run output or managed config dirs; existing user config dirs require COWORK_HARNESS_ALLOW_CONFIG_DIR_WRITE.
- Secrets handling reads auth env/.env for running the harness and scrubs persisted logs rather than exfiltrating: dist/dotenv.js, dist/secrets.js.
- Host web_fetch is gated by scheme, private-address checks, DNS vetting, redirects, and allowlist/provenance logic in dist/hostloop/workspace-handler.js.
- Vendored _vendor/yaml files are readable PyYAML source used by the bundled lint script, not hidden binary payloads.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/decide/external-channel.jsView on unpkg · L4Package source references a known benign dynamic code generation pattern.
dist/decide/decider.jsView on unpkg · L987Package source invokes a package manager install command at runtime.
dist/sync/cowork-sync.jsView on unpkg · L160Package ships non-JavaScript build or shell helper files.
python/conftest.pyView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/runtime/hostloop.jsView on unpkg