registry  /  @equal-experts/kuat-react  /  0.15.1

@equal-experts/kuat-react@0.15.1

React components and blocks for the Kuat Design System: **localized primitives** (forms, actions, feedback, **IconButton**) and **composed blocks** (header, carousel, logo lockup, etc.). Use **`@equal-experts/kuat-core`** for tokens and the **shadcn CLI**

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
A user copies the README guardrails into their project's `AGENTS.md` or `.cursorrules`, or an agent follows the bundled `agent-docs/AGENTS.md`.
Impact
Future agent workflows may be biased toward Kuat documentation and component choices; no exfiltration, remote execution, or automatic mutation was found.
Mechanism
Explicit user-directed AI-agent configuration and rule-loading guidance.
Rationale
Source inspection found no malware behavior, but confirmed explicit documentation-driven mutation of project agent configuration. Downgrade to warn rather than block because activation requires a user or agent to follow the documented setup and no harmful payload is present.
Evidence
package.jsonREADME.mdagent-docs/AGENTS.mdagent-docs/rules/LOADING-consumer.mddist/index.jsdist/badge-BFeIqSCP.jsagent-docs/bundle-manifest.json

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `README.md` instructs users to add Kuat-first rules to their project `AGENTS.md` or `.cursorrules`.
  • `agent-docs/AGENTS.md` directs AI agents to load package rules and run an externally provided `ensure-rules.sh`.
  • The supplied agent rules influence future agent component-selection behavior.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
  • Published `dist/*.js` contains no child-process, filesystem, network, eval, dynamic-loader, or credential-harvesting primitive.
  • The only `process.env` use in `dist/badge-BFeIqSCP.js` gates a development deprecation warning.
  • No executable binary, network endpoint, persistence mechanism, or automatic project-file mutation was found.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 190 KB of source, external domains: www.w3.org

Source & flagged code

1 flagged · loading source
agent-docs/AGENTS.mdView file
Published source reference
Medium
Ai Review Evidence

`agent-docs/AGENTS.md` directs AI agents to load package rules and run an externally provided `ensure-rules.sh`.

agent-docs/AGENTS.mdView on unpkg

Findings

4 Medium3 Low
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidenceagent-docs/AGENTS.md
MediumAi Review Evidence
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings