registry  /  cowork-harness  /  0.28.0

cowork-harness@0.28.0

Scriptable, CI-friendly harness for Claude Cowork's runtime contract for testing skills across scenarios — same agent, mounts, egress allowlist, permission protocol, and sandbox limitations.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack chain was found. The install-time action only changes the current Git repository hook path, while runtime spawning, config staging, proxying, and sync are explicit harness features.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm prepare, or explicit cowork-harness sync/run/decider commands
Impact
May alter local Git hook configuration during prepare; no exfiltration, remote payload execution, or foreign AI-agent control-surface mutation was confirmed.
Mechanism
Local Git hook-path setting and user-invoked agent-harness orchestration
Rationale
Source inspection does not support a malicious verdict. A conservative warning is appropriate because prepare mutates local Git hook configuration, even though no hook payload or broader persistence mechanism is shipped.
Evidence
package.jsondist/decide/external-channel.jsdist/sync/cowork-sync.jsdist/session.jsdist/egress/proxy.jsdist/secrets.jsdist/cli.js
Network endpoints1
downloads.claude.ai/claude-code-releases/<version>/manifest.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • package.json: prepare runs git config core.hooksPath .githooks
  • dist/decide/external-channel.js: user-supplied --decider-cmd is spawned with shell:true
  • dist/sync/cowork-sync.js: explicit sync invokes npx to extract local app.asar
Evidence against
  • No preinstall, install, or postinstall hook exists
  • No credential collection is sent over network; dist/secrets.js redacts configured secrets
  • dist/egress/proxy.js is an allowlist proxy that records allow/deny decisions
  • dist/session.js blocks writes to an existing config_dir without explicit opt-in
  • Vendor YAML scanner is readable Python source, not a hidden executable payload
  • Network fetch in dist/cli.js is an explicit version-checksum lookup
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 89 file(s), 1.58 MB of source, external domains: api.anthropic.com, cloud-images.ubuntu.com, deb.nodesource.com, downloads.claude.ai, example.com, nodejs.org, raw.githubusercontent.com

Source & flagged code

7 flagged · loading source
dist/decide/external-channel.jsView file
4import readline from "node:readline"; L5: import { spawn } from "node:child_process"; L6: /** A sequential line reader over a stream that buffers across chunk boundaries (readline does this). */
High
Child Process

Package source references child process execution.

dist/decide/external-channel.jsView on unpkg · L4
216export function spawnChannel(cmd) { L217: // `shell: true` is INTENTIONAL, not an injection surface. `--decider-cmd` is OPERATOR-supplied — L218: // the same trust class as the harness process itself (whoever runs the harness wrote this string). Shell
High
Shell

Package source references shell execution.

dist/decide/external-channel.jsView on unpkg · L216
dist/decide/decider.jsView file
987try { L988: fn = new Function(...params, `"use strict"; return (${expr});`); L989: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/decide/decider.jsView on unpkg · L987
dist/sync/cowork-sync.jsView file
191try { L192: execFileSync("npx", ["--yes", "@electron/asar", "extract", ASAR, tmp], { stdio: "ignore" }); L193: const bundle = readMainBundle(tmp);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/sync/cowork-sync.jsView on unpkg · L191
python/conftest.pyView file
path = python/conftest.py kind = build_helper sizeBytes = 544 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/conftest.pyView on unpkg
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView file
path = .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py kind = payload_in_excluded_dir sizeBytes = 51279 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkg
dist/egress/sidecar.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cowork-harness@0.26.0 matchedIdentity = npm:Y293b3JrLWhhcm5lc3M:0.26.0 similarity = 0.513 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/egress/sidecar.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/egress/sidecar.js
HighChild Processdist/decide/external-channel.js
HighShelldist/decide/external-channel.js
HighRuntime Package Installdist/sync/cowork-sync.js
HighPayload In Excluded Dir.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpython/conftest.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/decide/decider.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings