registry  /  cowork-harness  /  1.0.0

cowork-harness@1.0.0

Scriptable, CI-friendly harness for Claude Cowork's runtime contract for testing skills across scenarios — same agent, mounts, egress allowlist, permission protocol, and sandbox limitations.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time prepare changes the current Git repository's hooksPath to a package-relative `.githooks` directory. At runtime, explicit CLI commands can launch a Claude agent, decider helper, containers, or a provisioned VM for testing.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install executes prepare; user invokes harness run, sync, decider, or microVM modes.
Impact
Repository hook configuration is modified; user-invoked runs have deliberate process execution and network-capable VM provisioning.
Mechanism
prepare-time Git configuration plus explicit agent/sandbox orchestration
Rationale
Source inspection does not support a malicious verdict, but the install-time Git configuration mutation and intentionally broad agent/sandbox execution capability warrant a warning under the stated lifecycle and dangerous-capability policy.
Evidence
package.jsondist/decide/external-channel.jsdist/runtime/protocol.jsdist/runtime/lima.jsdist/dotenv.jsdist/redact.js.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py.githooks
Network endpoints2
downloads.claude.ai/claude-code-releases/${version}/manifest.jsondeb.nodesource.com/setup_22.x

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json: prepare runs `git config core.hooksPath .githooks || true` during install.
  • dist/decide/external-channel.js spawns an operator-supplied `--decider-cmd` with `shell:true`.
  • dist/runtime/lima.js provisions an explicitly launched VM with curl, npm, and pip installs.
  • dist/runtime/protocol.js launches the configured `claude` agent binary for harness runs.
Evidence against
  • package.json has no preinstall, install, or postinstall hook; prepublishOnly is publish-time CI.
  • No source evidence of credential exfiltration, stealth payload loading, or package-controlled data upload.
  • The shell helper is explicitly supplied by the invoking operator, not package data.
  • The flagged vendor file is readable Python YAML-scanner source, not a hidden executable payload.
  • dist/dotenv.js and dist/redact.js document local credential handling and redaction rather than transmission.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 96 file(s), 1.88 MB of source, external domains: api.anthropic.com, cloud-images.ubuntu.com, deb.nodesource.com, downloads.claude.ai, example.com, nodejs.org, raw.githubusercontent.com

Source & flagged code

7 flagged · loading source
dist/decide/external-channel.jsView file
4import readline from "node:readline"; L5: import { spawn } from "node:child_process"; L6: /** A sequential line reader over a stream that buffers across chunk boundaries (readline does this). */
High
Child Process

Package source references child process execution.

dist/decide/external-channel.jsView on unpkg · L4
216export function spawnChannel(cmd) { L217: // `shell: true` is INTENTIONAL, not an injection surface. `--decider-cmd` is OPERATOR-supplied — L218: // the same trust class as the harness process itself (whoever runs the harness wrote this string). Shell
High
Shell

Package source references shell execution.

dist/decide/external-channel.jsView on unpkg · L216
dist/decide/decider.jsView file
987try { L988: fn = new Function(...params, `"use strict"; return (${expr});`); L989: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/decide/decider.jsView on unpkg · L987
dist/sync/cowork-sync.jsView file
219try { L220: execFileSync("npx", ["--yes", "@electron/asar", "extract", ASAR, tmp], { stdio: "ignore" }); L221: const bundleFiles = readMainBundleFiles(tmp);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/sync/cowork-sync.jsView on unpkg · L219
python/conftest.pyView file
path = python/conftest.py kind = build_helper sizeBytes = 544 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/conftest.pyView on unpkg
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView file
path = .claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py kind = payload_in_excluded_dir sizeBytes = 51279 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkg
dist/agent/session.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cowork-harness@0.32.0 matchedIdentity = npm:Y293b3JrLWhhcm5lc3M:0.32.0 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agent/session.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/agent/session.js
HighChild Processdist/decide/external-channel.js
HighShelldist/decide/external-channel.js
HighRuntime Package Installdist/sync/cowork-sync.js
HighPayload In Excluded Dir.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpython/conftest.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/decide/decider.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings