AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is an agent test harness with user-invoked sandbox, decider, sync, and staging features; the risky primitives are aligned with that purpose and are not lifecycle-triggered.
Decision evidence
public snapshot- dist/runtime/hostloop.js spawns a native Claude agent and Docker sidecar for the hostloop fidelity tier.
- dist/decide/external-channel.js intentionally supports operator-supplied --decider-cmd with shell:true.
- dist/sync/cowork-sync.js has a user-invoked sync path that reads Claude Desktop files and runs npx @electron/asar.
- package.json has no install/postinstall/preinstall hook; prepublishOnly and prepack are publish-time only.
- Shipped .claude/skills/cowork-harness files are package content, not lifecycle-installed into a user/home agent surface.
- dist/runtime/stage.js stages config and mcp.json into harness-owned session workspace paths, with containment checks.
- dist/secrets.js scrubs known auth tokens and encoded variants from emitted artifacts/decider context.
- dist/runtime/host-env.js passes only expected Claude/Anthropic auth env to the spawned agent.
- Dangerous primitives are documented CLI/runtime harness features activated by user commands, not import-time behavior.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/decide/external-channel.jsView on unpkg · L4Package source references a known benign dynamic code generation pattern.
dist/decide/decider.jsView on unpkg · L987Package source invokes a package manager install command at runtime.
dist/sync/cowork-sync.jsView on unpkg · L165Package ships non-JavaScript build or shell helper files.
python/conftest.pyView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/runtime/hostloop.jsView on unpkg