registry  /  harnessed  /  4.15.2

harnessed@4.15.2

AI coding harness package manager + composition orchestrator

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The risky primitives are package-aligned orchestration and installer features activated by explicit CLI commands, not install-time or import-time behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs harnessed CLI commands such as setup, install, run, or explicit hook installation.
Impact
Can modify local Claude/Codex configuration and install declared upstream tools when invoked, but no stealth persistence, harvesting, or exfiltration was confirmed.
Mechanism
User-invoked AI workflow orchestration and upstream tool installation
Rationale
Static inspection shows a declared AI harness/orchestrator with explicit CLI-driven writes and upstream installs, but no lifecycle execution, stealth exfiltration, credential harvesting, destructive behavior, or unconsented AI-agent control-surface mutation. Scanner findings map to documented functionality rather than a concrete malicious payload.
Evidence
package.jsondist/index.mjsdist/cli.mjsbin/harnessed-inject-state.mjsREADME.mdmanifests/tools/superpowers.yamlmanifests/optional/perturn-inject.yaml
Network endpoints6
github.com/easyinplay/harnessed.gitgithub.com/ChromeDevTools/chrome-devtools-mcp.gitgithub.com/exa-labs/exa-mcp-server.gitgithub.com/tavily-ai/tavily-mcp.gitgithub.com/garrytan/gstack.gitgithub.com/midwayjs/midway.git

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli.mjs contains user-invoked setup/install code that can write Claude/Codex skills, commands, settings, and install upstream tools.
  • dist/cli.mjs can spawn SDK subagents and install MCP/plugins when commands such as setup/install/run are explicitly invoked.
  • manifests/*.yaml reference external npm/GitHub/Claude/Codex plugin installation commands.
Evidence against
  • package.json has no preinstall/postinstall lifecycle scripts; install does not execute package code.
  • dist/index.mjs only exports VERSION; import-time surface is inert.
  • bin/harnessed-inject-state.mjs is a bin/hook helper that reads local harnessed workflow state and prints context; no network or subprocess.
  • dist/cli.mjs setup/install paths are CLI-triggered, show diffs/confirmations for higher-risk writes, and align with the package's documented AI workflow orchestrator purpose.
  • Base setup loads manifests/tools and manifests/skill-packs, not optional per-turn hook manifests; hooks require explicit manifest install.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 405 KB of source, external domains: git-scm.com, github.com, harnessed.dev

Source & flagged code

2 flagged · loading source
dist/cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = harnessed@4.15.1 matchedIdentity = npm:aGFybmVzc2Vk:4.15.1 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli.mjsView on unpkg
11import * as ajvFormatsNs from 'ajv-formats'; L12: import { execFileSync, spawnSync, spawn, exec, execSync, execFile } from 'child_process'; L13: import { fileURLToPath } from 'url'; ... L21: import { Command } from 'commander'; L22: import { stdout, stdin } from 'process'; L23: import * as readline from 'readline/promises'; ... L34: L35: // package.json L36: var package_default; ... L47: type: "git", L48: url: "https://github.com/easyinplay/harnessed.git" L49: },
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.mjsView on unpkg · L11

Findings

1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings