AI Security Review
scanned 3h ago · by lpm-firewall-aiThe only install-adjacent mutation is a prepare-time repository-local Git hooks-path setting. Runtime process, Docker, network, and shell features are tied to explicit harness commands and supplied configuration; no confirmed malicious payload or exfiltration chain was found.
Decision evidence
public snapshot- `package.json` prepare runs `git config core.hooksPath .githooks || true`.
- `dist/sync/cowork-sync.js` invokes `npx --yes @electron/asar` during explicit `sync`.
- `dist/decide/external-channel.js` runs a user-supplied `--decider-cmd` through a shell.
- `dist/egress/sidecar.js` creates Docker networks and an egress proxy for live runs.
- No preinstall, install, or postinstall lifecycle hook is present.
- No bundled native executable or opaque payload was found; vendor `scanner.py` is readable YAML source.
- `dist/egress/proxy.js` enforces a supplied host allowlist and logs allow/deny decisions.
- `dist/cli.js` fetches `downloads.claude.ai` only in explicit `sync` checksum lookup; no credential-exfiltration path was found.
- `dist/decide/decider.js` dynamic Function evaluates author-supplied scenario predicates, not downloaded code.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/decide/external-channel.jsView on unpkg · L4Package source references a known benign dynamic code generation pattern.
dist/decide/decider.jsView on unpkg · L987Package source invokes a package manager install command at runtime.
dist/sync/cowork-sync.jsView on unpkg · L219Package ships non-JavaScript build or shell helper files.
python/conftest.pyView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/egress/sidecar.jsView on unpkg