AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an AI workflow/orchestration CLI that can modify Claude/Codex skills, commands, settings, MCP config, and harnessed state only through explicit user-invoked commands.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs harnessed CLI commands such as setup, install, update, uninstall, checkpoint, or the documented inject-state hook.
Impact
Expected installation/configuration of AI workflow assets; no credential harvesting, covert exfiltration, lifecycle execution, or persistence beyond declared user-selected harness integration was found.
Mechanism
User-invoked AI harness installer and workflow state manager
Rationale
Static inspection shows powerful but package-aligned AI harness setup/install functionality, gated by explicit CLI invocation rather than npm lifecycle or import-time execution. The scanner's dangerous delta maps to declared orchestration prompts and installer code, not covert malware behavior.
Evidence
package.jsondist/index.mjsdist/cli.mjsbin/harnessed-inject-state.mjsmanifests/tools/*.yamlmanifests/cc-hooks/dashboard-autospawn.yaml~/.claude/skills/*~/.agents/skills/*~/.claude/commands/*.md~/.codex/prompts/*.md~/.claude/settings.json~/.claude.json~/.codex/config.toml~/.claude/harnessed/*~/.codex/harnessed/*
Decision evidence
public snapshotAI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only user-run build/test scripts.
- dist/index.mjs only exports VERSION; no import-time side effects.
- dist/cli.mjs dangerous primitives are CLI actions: setup/install/update/uninstall/checkpoint commands invoked by user.
- dist/cli.mjs setup writes harness files under Claude/Codex config dirs and uses confirmations/--dry-run for installs.
- bin/harnessed-inject-state.mjs is a hook helper that only reads harnessed state and repo planning files, prints context, and has no network/subprocess writes.
- Network/process use is package-aligned: npm version check, claude/codex/npm/git/npx commands for explicit setup/install/update flows.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = harnessed@4.15.0
matchedIdentity = npm:aGFybmVzc2Vk:4.15.0
similarity = 0.750
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/cli.mjsView on unpkg11import * as ajvFormatsNs from 'ajv-formats';
L12: import { execFileSync, spawnSync, spawn, exec, execSync, execFile } from 'child_process';
L13: import { fileURLToPath } from 'url';
...
L21: import { Command } from 'commander';
L22: import { stdout, stdin } from 'process';
L23: import * as readline from 'readline/promises';
...
L34:
L35: // package.json
L36: var package_default;
...
L47: type: "git",
L48: url: "https://github.com/easyinplay/harnessed.git"
L49: },
Low
Findings
1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings