registry  /  cowork-harness  /  0.25.0

cowork-harness@0.25.0

Scriptable, CI-friendly harness for Claude Cowork's runtime contract for testing skills across scenarios — same agent, mounts, egress allowlist, permission protocol, and sandbox limitations.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are part of an explicit Cowork/Claude test harness CLI and are user-invoked rather than install-time or import-time behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
explicit CLI commands such as run, skill, sync, doctor, decider-cmd, or boundary-check
Impact
Runs local test harness workflows and may create run artifacts or inspect local Claude Desktop state when explicitly requested; no evidence of unconsented mutation or exfiltration.
Mechanism
user-invoked harness orchestration with child processes, sandbox tooling, dotenv loading, and optional Claude Desktop baseline sync
Rationale
Static inspection shows powerful harness capabilities, but they are documented CLI features activated by explicit user commands, with no install-time execution or hidden payload/exfiltration path. The scanner findings map to expected sandbox, decider, sync, and vendored-linter functionality.
Evidence
package.jsondist/cli.jsdist/decide/external-channel.jsdist/sync/cowork-sync.jsdist/run/execute.jsdist/decide/llm-transport.jsdist/secrets.jsdist/dotenv.js.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py
Network endpoints5
downloads.claude.ai/claude-code-releases/raw.githubusercontent.com/yaniv-golan/cowork-harness/main/schema/run-result.jsonapi.anthropic.comexample.comexample.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/decide/external-channel.js exposes user-supplied --decider-cmd with shell:true, but comments and CLI help show it is an explicit operator command.
  • dist/sync/cowork-sync.js can run npx @electron/asar and read Claude Desktop files, but only inside explicit macOS sync().
  • dist/cli.js and dist/dotenv.js load auth env/.env for harness runs; dist/secrets.js scrubs known token values from persisted logs.
Evidence against
  • package.json has no preinstall/install/postinstall; only prepublishOnly and prepack maintenance scripts.
  • dist/cli.js is a declared CLI for running sandbox/test harness commands, not import-time execution.
  • dist/run/execute.js writes run artifacts under the harness runs directory and has path/session guards before deletion or resume.
  • .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py is PyYAML source vendored for linting, not an executable payload.
  • Network references are package-aligned: Claude downloads/API, GitHub schema URLs, egress proxy checks, and user-invoked sync/doctor/run paths.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 1.26 MB of source, external domains: api.anthropic.com, cloud-images.ubuntu.com, deb.nodesource.com, downloads.claude.ai, example.com, nodejs.org, raw.githubusercontent.com

Source & flagged code

7 flagged · loading source
dist/decide/external-channel.jsView file
4import readline from "node:readline"; L5: import { spawn } from "node:child_process"; L6: /** A sequential line reader over a stream that buffers across chunk boundaries (readline does this). */
High
Child Process

Package source references child process execution.

dist/decide/external-channel.jsView on unpkg · L4
214export function spawnChannel(cmd) { L215: // `shell: true` is INTENTIONAL, not an injection surface. `--decider-cmd` is OPERATOR-supplied — L216: // the same trust class as the harness process itself (whoever runs the harness wrote this string). Shell
High
Shell

Package source references shell execution.

dist/decide/external-channel.jsView on unpkg · L214
dist/decide/decider.jsView file
987try { L988: fn = new Function(...params, `"use strict"; return (${expr});`); L989: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/decide/decider.jsView on unpkg · L987
dist/sync/cowork-sync.jsView file
165try { L166: execFileSync("npx", ["--yes", "@electron/asar", "extract", ASAR, tmp], { stdio: "ignore" }); L167: const bundle = readIf(join(tmp, ".vite/build/index.js")) ?? "";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/sync/cowork-sync.jsView on unpkg · L165
python/conftest.pyView file
path = python/conftest.py kind = build_helper sizeBytes = 544 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/conftest.pyView on unpkg
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView file
path = .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py kind = payload_in_excluded_dir sizeBytes = 51279 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkg
dist/run/execute.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cowork-harness@0.24.0 matchedIdentity = npm:Y293b3JrLWhhcm5lc3M:0.24.0 similarity = 0.910 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/run/execute.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/run/execute.js
HighChild Processdist/decide/external-channel.js
HighShelldist/decide/external-channel.js
HighRuntime Package Installdist/sync/cowork-sync.js
HighPayload In Excluded Dir.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpython/conftest.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/decide/decider.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings