registry  /  harnessed  /  4.14.2

harnessed@4.14.2

AI coding harness package manager + composition orchestrator

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI workflow harness that can alter agent configuration, but the inspected writes occur through explicit setup/install/uninstall commands rather than install-time or import-time execution.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs harnessed CLI commands such as setup, install, run, or harnessed-inject-state hook after configuring it.
Impact
Creates or updates local workflow skills, slash commands, hooks, MCP/plugin entries, and harnessed state for the selected agent platform.
Mechanism
User-invoked AI workflow orchestration and configuration management
Rationale
Static inspection found powerful but package-aligned AI-agent orchestration features gated behind explicit CLI setup/install commands, with no lifecycle hook, import-time payload, credential harvesting, or exfiltration behavior. Scanner findings map to expected CLI configuration, subprocess, and manifest installer functionality rather than a concrete attack.
Evidence
package.jsondist/index.mjsdist/cli.mjsbin/harnessed-inject-state.mjsmanifests/skill-packs/gstack.yamlmanifests/tools/tavily-mcp.yaml~/.claude/harnessed/state.json~/.claude/settings.json~/.claude/commands/*.md~/.claude/skills/*~/.codex/config.toml~/.agents/skills/*
Network endpoints6
github.com/easyinplay/harnessed.gitgithub.com/garrytan/gstack.gitgithub.com/midwayjs/midway.gitgithub.com/tavily-ai/tavily-mcp.gitgithub.com/exa-labs/exa-mcp-server.gitgithub.com/ChromeDevTools/chrome-devtools-mcp.git

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle scripts; bin entries are user-invoked.
    • dist/index.mjs only exports VERSION; no import-time side effects.
    • bin/harnessed-inject-state.mjs reads local harnessed/.planning state and prints prompt context; no subprocess or network use.
    • dist/cli.mjs setup/install writes ~/.claude or ~/.codex skills, commands, hooks, MCP/plugin config only from explicit CLI commands.
    • dist/cli.mjs subprocess use is for user-invoked git/claude/codex/npm-style installer workflows with confirmation/dry-run gates.
    • Network references are package/update or manifest-aligned GitHub/MCP/tool URLs, not credential exfiltration endpoints.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 4 file(s), 395 KB of source, external domains: github.com, harnessed.dev

    Source & flagged code

    2 flagged · loading source
    dist/cli.mjsView file
    matchType = previous_version_dangerous_delta matchedPackage = harnessed@4.12.0 matchedIdentity = npm:aGFybmVzc2Vk:4.12.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/cli.mjsView on unpkg
    11import * as ajvFormatsNs from 'ajv-formats'; L12: import { execFileSync, spawnSync, spawn, exec, execSync, execFile } from 'child_process'; L13: import { fileURLToPath } from 'url'; ... L21: import { Command } from 'commander'; L22: import { stdout, stdin } from 'process'; L23: import * as readline from 'readline/promises'; ... L34: L35: // package.json L36: var package_default; ... L47: type: "git", L48: url: "https://github.com/easyinplay/harnessed.git" L49: },
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/cli.mjsView on unpkg · L11

    Findings

    1 Critical2 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/cli.mjs
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowWeak Cryptodist/cli.mjs
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings