registry  /  @ubnt/cawcut  /  0.1.4

@ubnt/cawcut@0.1.4

CawCut developer CLI — auth, generate, app run, task status

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Global npm install triggers automatic AI-agent skill setup via npx skills. This mutates broad agent control surfaces for Cursor, Claude Code, and Codex during postinstall.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install -g @ubnt/cawcut with lifecycle scripts enabled
Impact
Installs package-provided global skills into AI-agent environments, enabling future agent-facing commands/capabilities from the package skill repo.
Mechanism
postinstall AI-agent skill installation via npx skills add
Policy narrative
On global install, postinstall checks that setup is not skipped and the package appears globally installed, then invokes installCawcutSkills. That function spawns npx --yes skills add Ubiquiti-UID/flow-cawcut-skill -g with default agents cursor, claude-code, and codex. This is unconsented install-time mutation of broad AI-agent control surfaces, despite being package-aligned and lacking observed exfiltration.
Rationale
Source inspection confirms install-time mutation of broad AI-agent control surfaces through a postinstall hook, which meets the block policy. The scanner finding is substantiated by package.json, dist/postinstall.js, skills-install.js, and skills-agents.js. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsondist/postinstall.jsdist/lib/skills-install.jsdist/lib/skills-agents.jsdist/lib/is-global-install.jsdist/index.jsdist/lib/bootstrap-skills.jsdist/lib/uninstall-cawcut.jsconfig/products.json
Network endpoints6
app.cawcut.comapi.cawcut.comapp.dev.cawcut.comapi.dev.cawcut.comapp.dev1.cawcut.comapi.dev1.cawcut.com

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node dist/postinstall.js
  • dist/postinstall.js auto-runs installCawcutSkills during global install unless CAWCUT_SKIP_SETUP/CI
  • dist/lib/skills-install.js spawns npx --yes skills add Ubiquiti-UID/flow-cawcut-skill -g
  • dist/lib/skills-agents.js defaults targets to cursor, claude-code, and codex
  • dist/index.js also bootstraps missing skills on normal CLI invocation
Evidence against
  • postinstall skips local installs, CI, and CAWCUT_SKIP_SETUP=1
  • No credential exfiltration found in inspected files
  • Skill repo is package-aligned, not an arbitrary encoded loader
  • No eval/vm/Function or obfuscated payload found
  • Uninstall path removes package skills and local cawcut data
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 43 file(s), 130 KB of source, external domains: fonts.googleapis.com, fonts.gstatic.com, www.w3.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lib/uninstall-cawcut.jsView file
1import { spawnSync } from "node:child_process"; L2: import { dirname, join } from "node:path";
High
Child Process

Package source references child process execution.

dist/lib/uninstall-cawcut.jsView on unpkg · L1
dist/lib/skills-install.jsView file
33return new Promise((resolve, reject) => { L34: const child = spawn("npx", ["--yes", "skills", ...skillArgs], { L35: stdio: [stdin, stdout, stderr],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/skills-install.jsView on unpkg · L33
dist/lib/is-global-install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @ubnt/cawcut@0.1.3 matchedIdentity = npm:QHVibnQvY2F3Y3V0:0.1.3 similarity = 0.519 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/is-global-install.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/is-global-install.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/lib/uninstall-cawcut.js
HighShell
HighRuntime Package Installdist/lib/skills-install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings