registry  /  @ubnt/cawcut  /  0.1.5

@ubnt/cawcut@0.1.5

CawCut developer CLI — auth, generate, app run, task status

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Global npm install mutates multiple AI-agent skill surfaces by installing an external CawCut skill repo. This is an unconsented postinstall change to broad agent control surfaces.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm install -g @ubnt/cawcut
Impact
Installs external agent skills into Cursor, Claude Code, Codex, and shared skills locations, potentially changing future agent behavior.
Mechanism
postinstall invokes npx skills add for AI-agent skills
Policy narrative
On global installation, the package postinstall checks global install state, then spawns npx --yes skills add Ubiquiti-UID/flow-cawcut-skill globally for cursor, claude-code, and codex. This installs agent skills into broad AI-agent control surfaces without an explicit user command.
Rationale
The decisive behavior is not ordinary CLI networking; it is unconsented postinstall mutation of foreign/broad AI-agent control surfaces. Under the provided policy this should be blocked even though the repo and API names appear package-aligned. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsondist/postinstall.jsdist/lib/skills-install.jsdist/lib/skills-agents.jsdist/lib/bootstrap-skills.jsconfig/products.json~/.cursor/skills~/.claude/skills~/.codex/skills~/.agents/skills
Network endpoints4
Ubiquiti-UID/flow-cawcut-skillapp.cawcut.comapi.cawcut.com/cawcut-user/api/v1api.cawcut.com/cawcut-workflow/api

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node dist/postinstall.js.
  • dist/postinstall.js runs on global install and calls installCawcutSkills without user command consent.
  • dist/lib/skills-install.js spawns npx --yes skills add Ubiquiti-UID/flow-cawcut-skill -g -y --skill *.
  • dist/lib/skills-agents.js targets cursor, claude-code, and codex agent skill directories.
  • dist/lib/bootstrap-skills.js can also auto-install missing skills during normal CLI invocation.
Evidence against
  • postinstall skips local installs, CI=true, or CAWCUT_SKIP_SETUP=1.
  • OAuth/API endpoints in config/products.json are package-aligned cawcut.com services.
  • Credential storage is local .cawcut credentials.json with 0600 mode; no source evidence of credential exfiltration.
  • Uninstall path removes named CawCut skills and local credentials.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 135 KB of source, external domains: fonts.googleapis.com, fonts.gstatic.com, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lib/uninstall-cawcut.jsView file
1import { spawnSync } from "node:child_process"; L2: import { dirname } from "node:path";
High
Child Process

Package source references child process execution.

dist/lib/uninstall-cawcut.jsView on unpkg · L1
dist/lib/skills-install.jsView file
33return new Promise((resolve, reject) => { L34: const child = spawn("npx", ["--yes", "skills", ...skillArgs], { L35: stdio: [stdin, stdout, stderr],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/skills-install.jsView on unpkg · L33
matchType = normalized_sha256 matchedPackage = @ubnt/cawcut@0.1.4 matchedPath = dist/lib/sk[redacted] matchedIdentity = npm:QHVibnQvY2F3Y3V0:0.1.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/lib/skills-install.jsView on unpkg
dist/commands/upgrade.jsView file
matchType = normalized_sha256 matchedPackage = @ubnt/cawcut@0.1.4 matchedPath = dist/commands/upgrade.js matchedIdentity = npm:QHVibnQvY2F3Y3V0:0.1.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/commands/upgrade.jsView on unpkg
dist/lib/oauth.jsView file
matchType = normalized_sha256 matchedPackage = @ubnt/cawcut@0.1.4 matchedPath = dist/lib/oauth.js matchedIdentity = npm:QHVibnQvY2F3Y3V0:0.1.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/lib/oauth.jsView on unpkg
dist/lib/is-global-install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @ubnt/cawcut@0.1.3 matchedIdentity = npm:QHVibnQvY2F3Y3V0:0.1.3 similarity = 0.519 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/is-global-install.jsView on unpkg

Findings

1 Critical7 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/is-global-install.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/lib/uninstall-cawcut.js
HighShell
HighRuntime Package Installdist/lib/skills-install.js
HighKnown Malware Source Similaritydist/lib/skills-install.js
HighKnown Malware Source Similaritydist/commands/upgrade.js
HighKnown Malware Source Similaritydist/lib/oauth.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings