# Add to your Claude Code skills
git clone https://github.com/wbopan/cuiLast scanned: 4/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@anthropic-ai/claude-code: Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@modelcontextprotocol/sdk: Anthropic's MCP TypeScript SDK has a ReDoS vulnerability",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@musistudio/llms: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@remix-run/router: React Router vulnerable to XSS via Open Redirects",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@rollup/plugin-terser: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "bn.js: bn.js affected by an infinite loop",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "body-parser: body-parser is vulnerable to denial of service when url encoding is used",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "diff: jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"severity": "low"
},
{
"type": "npm-audit",
"message": "express: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fastify: Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream",
"severity": "high"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "gaxios: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "glob: glob CLI: Command injection via -c/--cmd executes matches with shell:true",
"severity": "high"
},
{
"type": "npm-audit",
"message": "happy-dom: Happy DOM: VM Context Escape can lead to Remote Code Execution",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "js-yaml: js-yaml has prototype pollution in merge (<<)",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "jws: auth0/node-jws Improperly Verifies HMAC Signature",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "mdast-util-to-hast: mdast-util-to-hast has unsanitized class attribute",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "multer: Multer vulnerable to Denial of Service via incomplete cleanup",
"severity": "high"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in comma parsing allows denial of service",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "react-router: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "react-router-dom: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "rollup: Rollup 4 has Arbitrary File Write via Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "serialize-javascript: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"severity": "high"
},
{
"type": "npm-audit",
"message": "tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "tar-fs: tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball",
"severity": "high"
},
{
"type": "npm-audit",
"message": "undici: Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vite: Vite middleware may serve files starting with the same name with the public directory",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite-plugin-pwa: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "workbox-build: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "FAILED",
"scannedAt": "2026-04-30T06:30:16.137Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}cui is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by wbopan. A web UI for Claude Code agents. It has 1,151 GitHub stars.
cui failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/wbopan/cui" and add it to your Claude Code skills directory (see the Installation section above).
cui is primarily written in TypeScript. It is open-source under wbopan on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh cui against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.