registry  /  perfect-harness-engineering  /  1.2.0

perfect-harness-engineering@1.2.0

The harness around Claude Code that makes it reliable — tested hooks, two-tier context, a PIV+E pipeline with an agile delivery layer, doc-grounded research reuse, and a vault-linked knowledge loop. Installs a hardened .claude/ payload.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `init` fetches mutable remote framework content, writes an agent extension into the current project, and enables its configured hooks. No install-time execution or confirmed data-exfiltration chain is present.

Static reason
No blocking static signals were detected.
Trigger
User runs `npx perfect-harness-engineering init` and selects a harness target.
Impact
A later change to the remote main branch could install and subsequently run altered project-local hooks after explicit setup.
Mechanism
Unpinned remote template download followed by project-local AI-agent hook installation.
Rationale
The explicit setup command creates a real but user-invoked, package-owned agent extension surface and trusts mutable remote code without integrity pinning. It warrants a warning rather than a block because no concrete malicious behavior or install-time foreign control-surface mutation was found.
Evidence
package.jsoncli/init.jstemplate/.claude/settings.jsontemplate/.claude/harness.jsontemplate/.claude/hooks/stop-gate.mjstemplate/.claude/hooks/guard.mjs.claude/settings.json.claude/harness.json.claude/hooks/session-start.mjs.claude/hooks/guard.mjs.claude/hooks/post-edit.mjs.claude/hooks/stop-gate.mjs.agents/.codex/
Network endpoints1
github.com/cristian-robert/claude-code-harness/archive/refs/heads/main.tar.gz

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • cli/init.js downloads an unpinned GitHub main-branch tarball with curl.
  • cli/init.js extracts that tarball and copies template/.claude into the current project.
  • template/.claude/settings.json registers automatic Claude Code command hooks.
  • template/.claude/hooks/stop-gate.mjs can shell-execute project-configured stopGate commands.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Network retrieval occurs only after the user explicitly runs the init CLI.
  • No source evidence of credential harvesting, exfiltration, stealth, or foreign control-surface writes.
  • Default template/.claude/harness.json sets stopGate to an empty array.
  • Guard hooks deny common secret-file access and recursive deletion.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 282 KB of source, external domains: api.internal, evil.example, github.com

Source & flagged code

2 flagged · loading source
template/.claude/tooling/codebase_search.pyView file
path = template/.claude/tooling/codebase_search.py kind = payload_in_excluded_dir sizeBytes = 11721 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

template/.claude/tooling/codebase_search.pyView on unpkg
path = template/.claude/tooling/codebase_search.py kind = build_helper sizeBytes = 11721 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

template/.claude/tooling/codebase_search.pyView on unpkg

Findings

1 High3 Medium4 Low
HighPayload In Excluded Dirtemplate/.claude/tooling/codebase_search.py
MediumEnvironment Vars
MediumShips Build Helpertemplate/.claude/tooling/codebase_search.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings