registry  /  cowork-harness  /  0.23.0

cowork-harness@0.23.0

Scriptable, CI-friendly harness for Claude Cowork's runtime contract for testing skills across scenarios — same agent, mounts, egress allowlist, permission protocol, and sandbox limitations.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an explicit Claude/Cowork test harness with user-invoked process, Docker, network, and agent config staging behavior aligned to its documented purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs cowork-harness CLI commands such as run, skill, sync, lint, or hostloop modes.
Impact
Can execute user-specified helper commands, Docker/agent runs, and network fetches during harness operation, but no install-time persistence, credential exfiltration, or unconsented foreign AI-agent control-surface mutation was found.
Mechanism
User-invoked agent harness orchestration and managed staging
Rationale
Static source inspection shows dangerous primitives are tied to a user-invoked Cowork/Claude harness and guarded staging paths, not npm install-time behavior or covert persistence/exfiltration. Scanner hints map to expected harness functionality and vendored PyYAML source rather than a concrete attack.
Evidence
package.jsondist/cli.jsdist/decide/external-channel.jsdist/runtime/hostloop.jsdist/sync/cowork-sync.jsdist/hostloop/workspace-handler.jsdist/session.jsdist/runtime/stage.jsdist/dotenv.jsdist/secrets.js.claude/skills/cowork-harness/SKILL.md.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked CLI includes child_process/Docker execution for agent harness modes: dist/runtime/hostloop.js, dist/hostloop/workspace-handler.js.
  • User-invoked sync extracts local Claude Desktop app.asar via npx @electron/asar: dist/sync/cowork-sync.js.
  • Package ships a first-party Claude skill under .claude/skills/cowork-harness, but no lifecycle registration was found.
Evidence against
  • package.json has no install/preinstall/postinstall hook; prepublishOnly/prepack are publish-time only.
  • bin entrypoint dist/cli.js exposes documented harness commands; no import-time execution path identified.
  • Agent config writes are runtime/user-invoked and staged under run output or managed config dirs; existing user config dirs require COWORK_HARNESS_ALLOW_CONFIG_DIR_WRITE.
  • Secrets handling reads auth env/.env for running the harness and scrubs persisted logs rather than exfiltrating: dist/dotenv.js, dist/secrets.js.
  • Host web_fetch is gated by scheme, private-address checks, DNS vetting, redirects, and allowlist/provenance logic in dist/hostloop/workspace-handler.js.
  • Vendored _vendor/yaml files are readable PyYAML source used by the bundled lint script, not hidden binary payloads.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 1.22 MB of source, external domains: api.anthropic.com, cloud-images.ubuntu.com, deb.nodesource.com, downloads.claude.ai, example.com, nodejs.org, raw.githubusercontent.com

Source & flagged code

7 flagged · loading source
dist/decide/external-channel.jsView file
4import readline from "node:readline"; L5: import { spawn } from "node:child_process"; L6: /** A sequential line reader over a stream that buffers across chunk boundaries (readline does this). */
High
Child Process

Package source references child process execution.

dist/decide/external-channel.jsView on unpkg · L4
214export function spawnChannel(cmd) { L215: // `shell: true` is INTENTIONAL, not an injection surface. `--decider-cmd` is OPERATOR-supplied — L216: // the same trust class as the harness process itself (whoever runs the harness wrote this string). Shell
High
Shell

Package source references shell execution.

dist/decide/external-channel.jsView on unpkg · L214
dist/decide/decider.jsView file
987try { L988: fn = new Function(...params, `"use strict"; return (${expr});`); L989: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/decide/decider.jsView on unpkg · L987
dist/sync/cowork-sync.jsView file
160try { L161: execFileSync("npx", ["--yes", "@electron/asar", "extract", ASAR, tmp], { stdio: "ignore" }); L162: const bundle = readIf(join(tmp, ".vite/build/index.js")) ?? "";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/sync/cowork-sync.jsView on unpkg · L160
python/conftest.pyView file
path = python/conftest.py kind = build_helper sizeBytes = 544 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/conftest.pyView on unpkg
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView file
path = .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py kind = payload_in_excluded_dir sizeBytes = 51279 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkg
dist/runtime/hostloop.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cowork-harness@0.22.0 matchedIdentity = npm:Y293b3JrLWhhcm5lc3M:0.22.0 similarity = 0.757 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/runtime/hostloop.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/runtime/hostloop.js
HighChild Processdist/decide/external-channel.js
HighShelldist/decide/external-channel.js
HighRuntime Package Installdist/sync/cowork-sync.js
HighPayload In Excluded Dir.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpython/conftest.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/decide/decider.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings