registry  /  u-foo  /  2.5.5

u-foo@2.5.5

Multi-Agent Workspace Protocol. Just add u. claude → uclaude, codex → ucodex.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates global Claude and Codex agent control surfaces during npm postinstall. This is unconsented install-time AI-agent extension installation into foreign/broad user-level locations.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of u-foo@2.5.5
Impact
Installs package-supplied instructions into Claude/Codex global skill and command directories, replacing existing target entries when present.
Mechanism
postinstall symlink installation of package AI-agent skills/commands
Policy narrative
On npm install, the postinstall script scans package SKILLS and force-symlinks them into Claude command/skill directories and Codex skills under CODEX_HOME or ~/.codex. Existing targets with the same names are removed first. This changes broad AI-agent control surfaces before the user invokes the package.
Rationale
Under the install control surface policy, unconsented npm postinstall mutation of foreign/broad AI-agent control surfaces is blockable even when the payload is package-aligned and no exfiltration is observed. Runtime shell, terminal injection, and network features appear user-invoked orchestration behavior rather than separate confirmed malware chains. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/postinstall.jsSKILLS/uctx/SKILL.mdSKILLS/ubus/SKILL.mdbin/ufoo.jssrc/coordination/bus/inject.js~/.claude/commands/uctx.md~/.claude/commands/ubus.md~/.claude/skills/uctx~/.claude/skills/ubus${CODEX_HOME:-~/.codex}/skills/uctx${CODEX_HOME:-~/.codex}/skills/ubusnode_modules/node-pty/prebuilds/darwin-arm64/spawn-helpernode_modules/node-pty/prebuilds/darwin-x64/spawn-helper

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.js.
  • scripts/postinstall.js creates ~/.claude/commands and ~/.claude/skills entries from package SKILLS.
  • scripts/postinstall.js also writes into ${CODEX_HOME:-~/.codex}/skills at install time.
  • forceSymlink removes any existing link/file/dir at each target path before symlinking package content.
  • SKILLS/uctx and SKILLS/ubus are agent command/skill instructions that affect Claude/Codex behavior.
Evidence against
  • No credential harvesting or exfiltration found in postinstall script.
  • Installed skill content appears ufoo-aligned, referencing ufoo context and bus workflows.
  • Network endpoints found are runtime/user-invoked online features, not postinstall exfiltration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 259 file(s), 1.97 MB of source, external domains: api.anthropic.com, api.openai.com, auth.openai.com, chatgpt.com, online.ufoo.dev

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/ufoo.jsView file
80L81: const { execSync } = require("child_process"); L82: const path = require("path");
High
Child Process

Package source references child process execution.

bin/ufoo.jsView on unpkg · L80
bin/uagy.jsView file
20L21: const AgentLauncher = require("../src/agents/launch/launcher"); L22: const { resolveDefaultManualBootstrap } = require("../[redacted]");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/uagy.jsView on unpkg · L20
src/runtime/projects/projectId.jsView file
1const crypto = require("crypto"); L2: const fs = require("fs");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/runtime/projects/projectId.jsView on unpkg · L1
src/coordination/bus/inject.jsView file
1const { spawn, spawnSync } = require("child_process"); L2: const fs = require("fs"); L3: const net = require("net"); L4: const path = require("path"); ... L7: L8: const SHOULD_LOG_INJECT = process.env.UFOO_INJECT_DEBUG === "1"; L9: const logInject = (message) => {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/coordination/bus/inject.jsView on unpkg · L1
scripts/postinstall.jsView file
62Install-time AI-agent control hijack evidence: L62: function installClaudeCommands(home, sources) { L63: const commandsDir = path.join(home, ".claude", "commands"); L64: fs.mkdirSync(commandsDir, { recursive: true }); L65: ... L73: function installSkillDirs(targetDir, sources, label) { L74: fs.mkdirSync(targetDir, { recursive: true }); L75: ... L83: // Install ufoo skills for Claude and Codex at npm install time. L84: // - Claude slash commands: ~/.claude/commands/<name>.md -> SKILL.md L85: // - Claude skills: ~/.claude/skills/<name> -> skill dir L86: // - Codex skills: ${CODEX_HOME:-~/.codex}/skills/<name> -> skill dir L87: try { Payload evidence from SKILLS/ufoo/SKILL.md: L141: Notes: L142: - Use `--scope private` for helper-internal reports (assistant-like private channel). L143: - `--controller ufoo-agent` routes report events to the ufoo-agent private inbox.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L62

Findings

1 Critical4 High5 Medium6 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/ufoo.js
HighShell
HighSame File Env Network Executionsrc/coordination/bus/inject.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/uagy.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/runtime/projects/projectId.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License