registry  /  @canonry/canonry  /  4.116.0

@canonry/canonry@4.116.0

Agent-first open-source AEO operating platform - track how answer engines cite your domain

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Normal CLI invocation sends package-aligned telemetry by default. The telemetry identifier can be deterministically derived from local hostname and MAC address when no configured identifier exists.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs a non-help Canonry CLI command while telemetry is enabled.
Impact
Persistent device correlation and command-usage disclosure to the package operator; no credential theft, remote payload execution, or install-time execution was found.
Mechanism
Host-derived telemetry identifier posted to the Canonry telemetry endpoint.
Rationale
No malicious install hook, credential harvesting, foreign agent-control mutation, remote code execution, or destructive behavior was found. Default telemetry transmits a host-derived stable identifier to the vendor endpoint, so warn rather than block.
Evidence
package.jsonbin/canonry.mjsbin/canonry-mcp.mjsdist/cli.jsdist/chunk-GV665WOU.jsdist/chunk-WEAXJ25Y.jsdist/chunk-RVH6QPTA.jsassets/agent-workspace/AGENTS.md
Network endpoints1
canonry.ai/api/telemetry

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-GV665WOU.js` derives an anonymous ID from hostname and a non-internal MAC address when no stored ID exists.
  • `dist/chunk-GV665WOU.js` POSTs telemetry to `https://canonry.ai/api/telemetry` with that ID, OS, architecture, Node version, and command properties.
  • `dist/cli.js` invokes telemetry for normal CLI commands unless disabled.
Evidence against
  • `package.json` contains no preinstall, install, or postinstall lifecycle hook.
  • `bin/canonry.mjs` and `bin/canonry-mcp.mjs` only dynamically import their CLI/MCP entrypoints after explicit execution.
  • `dist/cli.js` MCP and skills writes are tied to explicit `mcp install`, `skills install`, or `init` commands, with backup/dry-run support.
  • Child-process use opens an OAuth URL, starts this package's server daemon, or installs the optional CommonCrawl DuckDB plugin.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 4.44 MB of source, external domains: accounts.google.com, aistudio.google.com, analyticsdata.googleapis.com, api.ads.openai.com, api.deepinfra.com, api.perplexity.ai, bit.ly, brightkidsdental.com, businessprofileperformance.googleapis.com, canonry.ai, canonry.local, citypointdental.com, commoncrawl.org, console.cloud.google.com, console.developers.google.com, data.commoncrawl.org, developers.google.com, downtownsmiles.com, example.com, fonts.googleapis.com, github.com, harbordental.com, hooks.example.com, indexing.googleapis.com, json-schema.org, logging.googleapis.com, mybusinessaccountmanagement.googleapis.com, mybusinessbusinessinformation.googleapis.com, mybusinesslodging.googleapis.com, oauth2.googleapis.com, openai.com, parkpediatricdental.com, places.googleapis.com, platform.claude.com, platform.openai.com, radix-ui.com, rdap.arin.net, react.dev, redacted.invalid, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, schema.org, searchconsole.googleapis.com, ssl.bing.com, support.google.com, vercel.com, www.bing.com, www.googleapis.com, www.npmjs.com

Source & flagged code

4 flagged · loading source
dist/chunk-WEAXJ25Y.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @canonry/canonry@4.113.0 matchedIdentity = npm:QGNhbm9ucnkvY2Fub25yeQ:4.113.0 similarity = 0.885 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-WEAXJ25Y.jsView on unpkg
26301// ../integration-commoncrawl/src/plugin-installer.ts L26302: import { spawn } from "child_process"; L26303: import fs4 from "fs/promises";
High
Child Process

Package source references child process execution.

dist/chunk-WEAXJ25Y.jsView on unpkg · L26301
dist/cli.jsView file
10699databasePath, L10700: apiUrl: env.apiUrl || existingConfig?.apiUrl || `http://localhost:${process.env.CANONRY_PORT || "4100"}`, L10701: providers: Object.keys(mergedProviders ?? {}), ... L10714: // src/commands/daemon.ts L10715: import { spawn } from "child_process"; L10716: import fs10 from "fs";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L10699
dist/chunk-GV665WOU.jsView file
187var _require = createRequire(import.meta.url); L188: var { version: VERSION } = _require("../package.json"); L189: var TELEMETRY_ENDPOINT = "https://canonry.ai/api/telemetry"; L190: var TIMEOUT_MS = 3e3; ... L201: function isTelemetryEnabled() { L202: if (process.env.CANONRY_TELEMETRY_DISABLED === "1") return false; L203: if (process.env.DO_NOT_TRACK === "1") return false; L204: if (process.env.CI) return false; L205: if (!configExists()) return true; ... L243: try { L244: const hostname = os.hostname() || ""; L245: const mac = firstNonInternalMac();
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/chunk-GV665WOU.jsView on unpkg · L187

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/chunk-WEAXJ25Y.js
HighChild Processdist/chunk-WEAXJ25Y.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighHost Fingerprint Exfiltrationdist/chunk-GV665WOU.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings