AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The risky primitives are package-aligned orchestration and installer features activated by explicit CLI commands, not install-time or import-time behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs harnessed CLI commands such as setup, install, run, or explicit hook installation.
Impact
Can modify local Claude/Codex configuration and install declared upstream tools when invoked, but no stealth persistence, harvesting, or exfiltration was confirmed.
Mechanism
User-invoked AI workflow orchestration and upstream tool installation
Rationale
Static inspection shows a declared AI harness/orchestrator with explicit CLI-driven writes and upstream installs, but no lifecycle execution, stealth exfiltration, credential harvesting, destructive behavior, or unconsented AI-agent control-surface mutation. Scanner findings map to documented functionality rather than a concrete malicious payload.
Evidence
package.jsondist/index.mjsdist/cli.mjsbin/harnessed-inject-state.mjsREADME.mdmanifests/tools/superpowers.yamlmanifests/optional/perturn-inject.yaml
Network endpoints6
github.com/easyinplay/harnessed.gitgithub.com/ChromeDevTools/chrome-devtools-mcp.gitgithub.com/exa-labs/exa-mcp-server.gitgithub.com/tavily-ai/tavily-mcp.gitgithub.com/garrytan/gstack.gitgithub.com/midwayjs/midway.git
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/cli.mjs contains user-invoked setup/install code that can write Claude/Codex skills, commands, settings, and install upstream tools.
- dist/cli.mjs can spawn SDK subagents and install MCP/plugins when commands such as setup/install/run are explicitly invoked.
- manifests/*.yaml reference external npm/GitHub/Claude/Codex plugin installation commands.
Evidence against
- package.json has no preinstall/postinstall lifecycle scripts; install does not execute package code.
- dist/index.mjs only exports VERSION; import-time surface is inert.
- bin/harnessed-inject-state.mjs is a bin/hook helper that reads local harnessed workflow state and prints context; no network or subprocess.
- dist/cli.mjs setup/install paths are CLI-triggered, show diffs/confirmations for higher-risk writes, and align with the package's documented AI workflow orchestrator purpose.
- Base setup loads manifests/tools and manifests/skill-packs, not optional per-turn hook manifests; hooks require explicit manifest install.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = harnessed@4.15.1
matchedIdentity = npm:aGFybmVzc2Vk:4.15.1
similarity = 0.750
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/cli.mjsView on unpkg11import * as ajvFormatsNs from 'ajv-formats';
L12: import { execFileSync, spawnSync, spawn, exec, execSync, execFile } from 'child_process';
L13: import { fileURLToPath } from 'url';
...
L21: import { Command } from 'commander';
L22: import { stdout, stdin } from 'process';
L23: import * as readline from 'readline/promises';
...
L34:
L35: // package.json
L36: var package_default;
...
L47: type: "git",
L48: url: "https://github.com/easyinplay/harnessed.git"
L49: },
Low
Findings
1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings