AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an AI workflow harness that can alter agent configuration, but the inspected writes occur through explicit setup/install/uninstall commands rather than install-time or import-time execution.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs harnessed CLI commands such as setup, install, run, or harnessed-inject-state hook after configuring it.
Impact
Creates or updates local workflow skills, slash commands, hooks, MCP/plugin entries, and harnessed state for the selected agent platform.
Mechanism
User-invoked AI workflow orchestration and configuration management
Rationale
Static inspection found powerful but package-aligned AI-agent orchestration features gated behind explicit CLI setup/install commands, with no lifecycle hook, import-time payload, credential harvesting, or exfiltration behavior. Scanner findings map to expected CLI configuration, subprocess, and manifest installer functionality rather than a concrete attack.
Evidence
package.jsondist/index.mjsdist/cli.mjsbin/harnessed-inject-state.mjsmanifests/skill-packs/gstack.yamlmanifests/tools/tavily-mcp.yaml~/.claude/harnessed/state.json~/.claude/settings.json~/.claude/commands/*.md~/.claude/skills/*~/.codex/config.toml~/.agents/skills/*
Network endpoints6
github.com/easyinplay/harnessed.gitgithub.com/garrytan/gstack.gitgithub.com/midwayjs/midway.gitgithub.com/tavily-ai/tavily-mcp.gitgithub.com/exa-labs/exa-mcp-server.gitgithub.com/ChromeDevTools/chrome-devtools-mcp.git
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts; bin entries are user-invoked.
- dist/index.mjs only exports VERSION; no import-time side effects.
- bin/harnessed-inject-state.mjs reads local harnessed/.planning state and prints prompt context; no subprocess or network use.
- dist/cli.mjs setup/install writes ~/.claude or ~/.codex skills, commands, hooks, MCP/plugin config only from explicit CLI commands.
- dist/cli.mjs subprocess use is for user-invoked git/claude/codex/npm-style installer workflows with confirmation/dry-run gates.
- Network references are package/update or manifest-aligned GitHub/MCP/tool URLs, not credential exfiltration endpoints.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = harnessed@4.12.0
matchedIdentity = npm:aGFybmVzc2Vk:4.12.0
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/cli.mjsView on unpkg11import * as ajvFormatsNs from 'ajv-formats';
L12: import { execFileSync, spawnSync, spawn, exec, execSync, execFile } from 'child_process';
L13: import { fileURLToPath } from 'url';
...
L21: import { Command } from 'commander';
L22: import { stdout, stdin } from 'process';
L23: import * as readline from 'readline/promises';
...
L34:
L35: // package.json
L36: var package_default;
...
L47: type: "git",
L48: url: "https://github.com/easyinplay/harnessed.git"
L49: },
Low
Findings
1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings