64OUT OF 100
CautionCautionSandbox run

AmrDab/clawdcursor

We ran AmrDab/clawdcursor, a node project, in an isolated sandbox. It built and started, then exited with an error on startup. We observed no malicious behavior, credential access, or outbound exfiltration. Its score is held down by install-time network/shell execution.

Repository size
8028 KB
Packages
23
Stars
388
Created
2 yr 11 mo
Reputation signals
AmrDab avatar
AmrDab
@AmrDab
Account age2 yr 11 mo
Public repos11
Forks58
Community sentiment85

Positive

Code & behavior signals
Install-time network/shell execution
MediumCode

The package.json contains a postinstall script that executes local node scripts. This is consistent with the project's documented installation requirements.

Local IPC communication
LowBehavior

The application uses localhost ports (127.0.0.1:3847/3848) for agent communication, which is standard for local desktop automation tools.

What running it revealed
What it ran
Project typenode
Auto-buildBuilt unattended
Ran to completionNo / crashed
Three agents read the code

Three agents — install-time, runtime, and payload — read the source in parallel and cross-verified. These are their inferences from reading the code; the runtime facts below are what actually happened when we ran it.

install agent flagged docs/install.shCode read · not confirmed at runtime

Agent analysis (code read, not a runtime observation): Reviewed docs/install.sh: the model took tool action but attached no narrative to this turn.

install agent flagged native/build.shCode read · not confirmed at runtime

Agent analysis (code read, not a runtime observation): Reviewed native/build.sh: the model took tool action but attached no narrative to this turn.

runtime agent flagged scripts/mac/get-ui-tree.shCode read · not confirmed at runtime

Agent analysis (code read, not a runtime observation): Reviewed scripts/mac/get-ui-tree.sh: the model took tool action but attached no narrative to this turn.

payload agent flagged scripts/mac/find-element.shCode read · not confirmed at runtime

Agent analysis (code read, not a runtime observation): The file `scripts/mac/find-element.sh` is a shell script designed to interface with macOS accessibility features via JXA (JavaScript for Automation) and `osascript`. Its stated purpose is to provide a cross-platform wrapper for UI element discovery, mapping macOS accessibility roles to a Windows-like schema. ### Static Analysis Observations * **Functionality**: The script parses command-line arguments, maps UI roles (e.g., "Button" to "button"), executes a companion JXA script (`find-element.jxa`), and uses a Python one-liner to transform the resulting JSON output. * **Suspicion Level**: Low. The script follows a standard pattern for cross-platform automation tools. It does not contain obfuscated code, base64 blobs, or suspicious network activity. * **Dependencies**: It relies on `osascript` (a standard macOS utility) and `/usr/bin/python3`. * **Potential Risks**: While the script itself appears benign, it acts as a wrapper for `find-element.jxa`. The security of this operation depends entirely on the contents of that JXA file. ### Detonation Plan I will detonate this script to observe its interaction with the system. 1. **Dependency Check**: Verify the existence of `scripts/mac/find-element.jxa` in the repository, as the shell script will fail without it. 2. **Execution**: Run the script in the sandbox with benign arguments (e.g., `-Name "Finder"`) to observe the `osascript` call and the subsequent data transformation. 3. **Scope**: Monitor for any unexpected system calls or attempts to access sensitive files (e.g., keychain, SSH keys) during the execution of the JXA script. I will now proceed to check for the existence of the companion file before detonating.

Network intent — what it tried to reach

No outbound connection attempts were observed during this run.

In-VM behavior
0
High-value credential reads · from planted decoys
15
Processes spawned
0
Files dropped
0.00
CPU cores busy
Containment proof
No real packet reached its destination

A control probe confirmed the sandbox intercepts all egress (the microVM has no route to the real internet except the forge) and a direct UDP query was dropped (non-TCP egress contained). The detonation itself made no outbound connection attempts during this run.

External monitor saw the egress attempt
In-VM trace corroborated it
Per-package scoring
82
clawdcursor
Standard npm package structure with documented postinstall scripts.
Final verdict

We ran it in the sandbox and observed no malicious behavior, credential access, or outbound exfiltration.

End-to-end logs
Clone
Repository cloned successfully.
Commit hash: ff4a4025257f12e2715ce3b02ddbc64b0af09203
Static scan
Detected postinstall scripts in package.json.
Detected local IPC usage on 127.0.0.1.
Verified consistency between README documentation and code-side IPC patterns.
Reputation
Owner established for nearly 3 years.
Project has 388 stars and 58 forks, indicating community usage.
Read
README intent matches observed installation scripts and local network usage.
Sandbox run
Built and started, then exited with an error on startup; no malicious behavior observed before exit.
Score
Score computed from the sandbox run: 64/100 (runtime-primary, deterministic)
+100 [code] runtime_observation: The sandbox run scored 100/100 from observed runtime behavior — the primary signal.
-10 [code] static_residual: 2 static code/behavior concern(s) the run did not exercise (bounded residual risk).
-26 [code] incomplete_run_ceiling: The repo did not both build and run cleanly in the sandbox; the score is capped at 64.
Auto-published at clauderabbit.in/AmrDab/clawdcursor · re-checked when the repo changes