registry  /  @cakejp/design-system  /  0.10.0

@cakejp/design-system@0.10.0

Cake.jp Design System — UI コンポーネント・カラートークン・タイポグラフィ

AI Security Review

scanned 10h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installation mutates a consumer project's root AI-agent instruction files without an explicit user command. This establishes package-controlled instructions for future Codex and Claude sessions.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall while installing into a consumer project with `INIT_CWD` set
Impact
Unconsented broad AI-agent control-surface mutation that can steer future agent behavior
Mechanism
copies bundled AGENTS.md and CLAUDE.md into the consumer root
Policy narrative
On npm postinstall, `bin/init.js` identifies the consumer project via `INIT_CWD`, then creates root-level `AGENTS.md` and `CLAUDE.md` from package templates when absent. Those files instruct Codex and Claude to follow package-provided design-system guidance and reference package-controlled documents. Although the installer avoids overwriting existing files and shows no network activity, automatic installation-time creation of these broad agent-control files is unconsented.
Rationale
This is a concrete postinstall mutation of a foreign project’s broad AI-agent control surface. The benign design-system purpose and overwrite guard do not remove the unconsented lifecycle-based control-surface write.
Evidence
package.jsonbin/init.jstemplates/AGENTS.mdtemplates/CLAUDE.mddist/index.jsAGENTS.mdCLAUDE.md

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node ./bin/init.js postinstall` during installation.
  • `bin/init.js` resolves the consumer root from `INIT_CWD` and copies files there.
  • Postinstall copies `templates/AGENTS.md` to `AGENTS.md` and `templates/CLAUDE.md` to `CLAUDE.md`.
  • The dropped files direct Codex/Claude to follow package-supplied AI instructions and read package-controlled guidance.
Evidence against
  • Installer skips when no consumer `package.json` exists or when installing the package itself.
  • Existing destination files are not overwritten without `--force`.
  • Inspected runtime entrypoint and installer show no network, credential harvesting, or shell execution.
Behavioral surface
Source
DynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 4 file(s), 360 KB of source, external domains: assets.cake.jp, github.com, social-plugins.line.me, twitter.com, www.w3.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/init.js postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/init.js postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/init.jsView file
1Install-time AI-agent control hijack evidence: L5: // AI エージェントは node_modules 配下のファイルを自動で読まないため、 L6: // プロジェクトルートに AGENTS.md / CLAUDE.md(node_modules 内の DS 利用ガイドを L7: // 参照する薄いポインタ)を置く必要がある。 ... L9: // Usage: L10: // npx cakejp-ds init # AGENTS.md + CLAUDE.md を設置 L11: // npx cakejp-ds init --force # 既存ファイルを上書き ... L13: L14: import { copyFileSync, existsSync } from "node:fs" L15: import { dirname, join, resolve } from "node:path" ... L79: const files = [ L80: { src: "templates/AGENTS.md", dest: "AGENTS.md", label: "Codex 用" }, L81: { src: "templates/CLAUDE.md", dest: "CLAUDE.md", label: "Claude Code 用" }, Payload evidence from templates/AGENTS.md: L1: <!-- L2: このファイルは @cakejp/design-system の postinstall で自動設置されました。
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/init.jsView on unpkg · L1
44} L45: await import(join(pkgRoot, "scripts/codemod/v0.2-to-v0.3.mjs")) L46: process.exit(0)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/init.jsView on unpkg · L44

Findings

1 Critical1 High4 Medium6 Low
CriticalAi Agent Control Hijackbin/init.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/init.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License