registry  /  cowork-harness  /  0.24.0

cowork-harness@0.24.0

Scriptable, CI-friendly harness for Claude Cowork's runtime contract for testing skills across scenarios — same agent, mounts, egress allowlist, permission protocol, and sandbox limitations.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an agent test harness with user-invoked sandbox, decider, sync, and staging features; the risky primitives are aligned with that purpose and are not lifecycle-triggered.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs cowork-harness CLI commands such as run/chat/skill/sync with chosen options.
Impact
Runs local agent/sandbox workflows and may stage configured files under harness session directories; no unconsented install-time persistence or exfiltration found.
Mechanism
user-invoked agent harness orchestration
Rationale
Static inspection found a legitimate Claude Cowork skill-testing harness with shell/spawn/network-related capabilities gated behind explicit CLI use and no npm install-time mutation of foreign AI-agent control surfaces. Scanner hits map to package-aligned runtime features, vendored support files, or publish-time scripts rather than concrete malicious behavior.
Evidence
package.jsondist/runtime/hostloop.jsdist/decide/external-channel.jsdist/sync/cowork-sync.jsdist/runtime/stage.jsdist/secrets.jsdist/runtime/host-env.js.claude/skills/cowork-harness/SKILL.md

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/runtime/hostloop.js spawns a native Claude agent and Docker sidecar for the hostloop fidelity tier.
  • dist/decide/external-channel.js intentionally supports operator-supplied --decider-cmd with shell:true.
  • dist/sync/cowork-sync.js has a user-invoked sync path that reads Claude Desktop files and runs npx @electron/asar.
Evidence against
  • package.json has no install/postinstall/preinstall hook; prepublishOnly and prepack are publish-time only.
  • Shipped .claude/skills/cowork-harness files are package content, not lifecycle-installed into a user/home agent surface.
  • dist/runtime/stage.js stages config and mcp.json into harness-owned session workspace paths, with containment checks.
  • dist/secrets.js scrubs known auth tokens and encoded variants from emitted artifacts/decider context.
  • dist/runtime/host-env.js passes only expected Claude/Anthropic auth env to the spawned agent.
  • Dangerous primitives are documented CLI/runtime harness features activated by user commands, not import-time behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 1.25 MB of source, external domains: api.anthropic.com, cloud-images.ubuntu.com, deb.nodesource.com, downloads.claude.ai, example.com, nodejs.org, raw.githubusercontent.com

Source & flagged code

7 flagged · loading source
dist/decide/external-channel.jsView file
4import readline from "node:readline"; L5: import { spawn } from "node:child_process"; L6: /** A sequential line reader over a stream that buffers across chunk boundaries (readline does this). */
High
Child Process

Package source references child process execution.

dist/decide/external-channel.jsView on unpkg · L4
214export function spawnChannel(cmd) { L215: // `shell: true` is INTENTIONAL, not an injection surface. `--decider-cmd` is OPERATOR-supplied — L216: // the same trust class as the harness process itself (whoever runs the harness wrote this string). Shell
High
Shell

Package source references shell execution.

dist/decide/external-channel.jsView on unpkg · L214
dist/decide/decider.jsView file
987try { L988: fn = new Function(...params, `"use strict"; return (${expr});`); L989: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/decide/decider.jsView on unpkg · L987
dist/sync/cowork-sync.jsView file
165try { L166: execFileSync("npx", ["--yes", "@electron/asar", "extract", ASAR, tmp], { stdio: "ignore" }); L167: const bundle = readIf(join(tmp, ".vite/build/index.js")) ?? "";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/sync/cowork-sync.jsView on unpkg · L165
python/conftest.pyView file
path = python/conftest.py kind = build_helper sizeBytes = 544 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/conftest.pyView on unpkg
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView file
path = .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py kind = payload_in_excluded_dir sizeBytes = 51279 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkg
dist/runtime/hostloop.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cowork-harness@0.23.0 matchedIdentity = npm:Y293b3JrLWhhcm5lc3M:0.23.0 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/runtime/hostloop.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/runtime/hostloop.js
HighChild Processdist/decide/external-channel.js
HighShelldist/decide/external-channel.js
HighRuntime Package Installdist/sync/cowork-sync.js
HighPayload In Excluded Dir.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpython/conftest.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/decide/decider.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings