AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time prepare changes the current Git repository's hooksPath to a package-relative `.githooks` directory. At runtime, explicit CLI commands can launch a Claude agent, decider helper, containers, or a provisioned VM for testing.
Decision evidence
public snapshot- package.json: prepare runs `git config core.hooksPath .githooks || true` during install.
- dist/decide/external-channel.js spawns an operator-supplied `--decider-cmd` with `shell:true`.
- dist/runtime/lima.js provisions an explicitly launched VM with curl, npm, and pip installs.
- dist/runtime/protocol.js launches the configured `claude` agent binary for harness runs.
- package.json has no preinstall, install, or postinstall hook; prepublishOnly is publish-time CI.
- No source evidence of credential exfiltration, stealth payload loading, or package-controlled data upload.
- The shell helper is explicitly supplied by the invoking operator, not package data.
- The flagged vendor file is readable Python YAML-scanner source, not a hidden executable payload.
- dist/dotenv.js and dist/redact.js document local credential handling and redaction rather than transmission.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/decide/external-channel.jsView on unpkg · L4Package source references a known benign dynamic code generation pattern.
dist/decide/decider.jsView on unpkg · L987Package source invokes a package manager install command at runtime.
dist/sync/cowork-sync.jsView on unpkg · L219Package ships non-JavaScript build or shell helper files.
python/conftest.pyView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude/skills/cowork-harness/scripts/_vendor/yaml/scanner.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/agent/session.jsView on unpkg