registry  /  @canonry/canonry  /  4.107.0

@canonry/canonry@4.107.0

Agent-first open-source AEO operating platform - track how answer engines cite your domain

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI/server for Canonry that performs user-invoked setup, telemetry, provider API calls, skill installation, MCP config installation, and optional plugin installation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs canonry/cnry CLI commands such as init, serve, skills install, mcp install, or integration sync commands.
Impact
Can create local Canonry config/database, install bundled agent docs/config, call configured third-party APIs, and optionally install DuckDB plugin; no evidence of credential harvesting or covert exfiltration.
Mechanism
User-invoked CLI operations with opt-out telemetry and package-aligned integrations
Rationale
Static hints map to package-aligned CLI features: opt-out telemetry, user-invoked AI-agent skill/MCP setup, provider integrations, daemon spawning, and optional plugin install. I found no lifecycle execution, covert credential/env harvesting, destructive persistence, or unconsented install-time AI-agent control-surface mutation.
Evidence
package.jsonbin/canonry.mjsbin/canonry-mcp.mjsdist/cli.jsdist/chunk-NDXV6EYD.jsdist/chunk-QLWRJEII.jsassets/agent-workspace/AGENTS.mdassets/agent-workspace/skills/canonry/SKILL.mdassets/agent-workspace/skills/aero/SKILL.md~/.canonry/config.yaml~/.canonry/data.db~/.canonry/canonry.pid.claude/skills/<skill>.codex/skills/<skill>.mcp.json~/.canonry/plugins/package.json
Network endpoints9
canonry.ai/api/telemetryregistry.npmjs.org/-/package/@canonry/canonry/dist-tagsapi.perplexity.aiapi.ads.openai.com/v1oauth2.googleapis.com/tokenanalyticsdata.googleapis.com/v1betassl.bing.com/webmaster/api.svc/jsonlogging.googleapis.com/v2/entries:listvercel.com/api/logs/request-logs

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/chunk-NDXV6EYD.js posts opt-out telemetry to https://canonry.ai/api/telemetry with anonymousId, version, node/os/arch.
  • dist/cli.js init can write bundled skills to .claude/skills and .codex/skills, and MCP config to .mcp.json when run in a project.
  • dist/chunk-QLWRJEII.js can spawn npm/pnpm to install @duckdb/node-api for CommonCrawl plugin when that feature is invoked.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • bin/canonry.mjs and bin/canonry-mcp.mjs only import CLI/MCP entrypoints; no install-time execution.
  • Telemetry has visible notice and disables for CANONRY_TELEMETRY_DISABLED, DO_NOT_TRACK, CI, or config telemetry:false.
  • AI-agent skill and MCP writes are tied to explicit canonry init/skills/mcp commands, not package install/import.
  • Credential/API-key handling is for configured providers and integrations; source redacts secrets in error/detail paths reviewed.
  • Network endpoints are package-aligned: Canonry telemetry/update checks, npm registry, AI/Google/Bing/OpenAI/Vercel/WordPress integrations.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 4.37 MB of source, external domains: accounts.google.com, aistudio.google.com, analyticsdata.googleapis.com, api.ads.openai.com, api.deepinfra.com, api.perplexity.ai, bit.ly, brightkidsdental.com, businessprofileperformance.googleapis.com, canonry.ai, canonry.local, citypointdental.com, commoncrawl.org, console.cloud.google.com, console.developers.google.com, data.commoncrawl.org, developers.google.com, downtownsmiles.com, example.com, github.com, harbordental.com, hooks.example.com, indexing.googleapis.com, json-schema.org, logging.googleapis.com, mybusinessaccountmanagement.googleapis.com, mybusinessbusinessinformation.googleapis.com, mybusinesslodging.googleapis.com, oauth2.googleapis.com, openai.com, parkpediatricdental.com, places.googleapis.com, platform.claude.com, platform.openai.com, radix-ui.com, rdap.arin.net, react.dev, redacted.invalid, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, schema.org, searchconsole.googleapis.com, ssl.bing.com, support.google.com, vercel.com, www.bing.com, www.googleapis.com, www.npmjs.com, www.perplexity.ai

Source & flagged code

4 flagged · loading source
dist/chunk-QLWRJEII.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @canonry/canonry@4.106.1 matchedIdentity = npm:QGNhbm9ucnkvY2Fub25yeQ:4.106.1 similarity = 0.923 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/chunk-QLWRJEII.jsView on unpkg
25817// ../integration-commoncrawl/src/plugin-installer.ts L25818: import { spawn } from "child_process"; L25819: import fs4 from "fs/promises";
High
Child Process

Package source references child process execution.

dist/chunk-QLWRJEII.jsView on unpkg · L25817
dist/cli.jsView file
10348databasePath, L10349: apiUrl: env.apiUrl || existingConfig?.apiUrl || `http://localhost:${process.env.CANONRY_PORT || "4100"}`, L10350: providers: Object.keys(mergedProviders ?? {}), ... L10363: // src/commands/daemon.ts L10364: import { spawn } from "child_process"; L10365: import fs9 from "fs";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L10348
dist/chunk-NDXV6EYD.jsView file
187var _require = createRequire(import.meta.url); L188: var { version: VERSION } = _require("../package.json"); L189: var TELEMETRY_ENDPOINT = "https://canonry.ai/api/telemetry"; L190: var TIMEOUT_MS = 3e3; ... L201: function isTelemetryEnabled() { L202: if (process.env.CANONRY_TELEMETRY_DISABLED === "1") return false; L203: if (process.env.DO_NOT_TRACK === "1") return false; L204: if (process.env.CI) return false; L205: if (!configExists()) return true; ... L243: try { L244: const hostname = os.hostname() || ""; L245: const mac = firstNonInternalMac();
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/chunk-NDXV6EYD.jsView on unpkg · L187

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/chunk-QLWRJEII.js
HighChild Processdist/chunk-QLWRJEII.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighHost Fingerprint Exfiltrationdist/chunk-NDXV6EYD.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings