AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack chain was found. The install-time action only changes the current Git repository hook path, while runtime spawning, config staging, proxying, and sync are explicit harness features.
Decision evidence
public snapshot- package.json: prepare runs git config core.hooksPath .githooks
- dist/decide/external-channel.js: user-supplied --decider-cmd is spawned with shell:true
- dist/sync/cowork-sync.js: explicit sync invokes npx to extract local app.asar
- No preinstall, install, or postinstall hook exists
- No credential collection is sent over network; dist/secrets.js redacts configured secrets
- dist/egress/proxy.js is an allowlist proxy that records allow/deny decisions
- dist/session.js blocks writes to an existing config_dir without explicit opt-in
- Vendor YAML scanner is readable Python source, not a hidden executable payload
- Network fetch in dist/cli.js is an explicit version-checksum lookup
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/decide/external-channel.jsView on unpkg · L4Package source references a known benign dynamic code generation pattern.
dist/decide/decider.jsView on unpkg · L987Package source invokes a package manager install command at runtime.
dist/sync/cowork-sync.jsView on unpkg · L191Package ships non-JavaScript build or shell helper files.
python/conftest.pyView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/egress/sidecar.jsView on unpkg