registry  /  @canonry/canonry  /  4.108.0

@canonry/canonry@4.108.0

Agent-first open-source AEO operating platform - track how answer engines cite your domain

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a self-hosted AEO CLI/server with documented telemetry, integrations, agent skills, and MCP setup activated by user commands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs canonry/cnry commands such as init, serve, skills install, mcp install, or backlinks install.
Impact
Package can write Canonry config, project agent skill files, MCP config, cache/plugin files, and make product-aligned network requests when invoked.
Mechanism
documented CLI setup, telemetry, API integrations, and optional plugin install
Rationale
Static source inspection found sensitive primitives, but they are tied to documented Canonry CLI/server features and user-invoked setup or integrations. There is no install-time/import-time execution, hidden persistence, credential theft, destructive behavior, or unconsented AI-agent control mutation.
Evidence
package.jsonbin/canonry.mjsbin/canonry-mcp.mjsREADME.mddist/cli.jsdist/mcp.jsdist/chunk-EMG4LIUJ.jsdist/chunk-45YSA7GH.jsdist/chunk-EKGKGKID.jsassets/agent-workspace/skills/canonry/SKILL.mdassets/agent-workspace/skills/aero/SKILL.md~/.canonry/config.yaml~/.canonry/data.db.claude/skills/canonry.claude/skills/aero.codex/skills/canonry.codex/skills/aero.mcp.json~/.canonry/plugins
Network endpoints5
canonry.ai/api/telemetryregistry.npmjs.org/-/package/@canonry/canonry/dist-tagsoauth2.googleapis.com/tokenanalyticsdata.googleapis.com/v1betadata.commoncrawl.org/projects/hyperlinkgraph

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/chunk-EMG4LIUJ.js implements opt-out telemetry to https://canonry.ai/api/telemetry with anonymized ID derived from hostname/MAC fallback.
  • dist/cli.js init can user-invoked install bundled agent skills and MCP config into project agent control surfaces.
  • dist/chunk-45YSA7GH.js has user-invoked npm spawn for Common Crawl DuckDB plugin install.
Evidence against
  • package.json has no lifecycle scripts; bin wrappers only import dist/cli.js or dist/mcp.js on user execution.
  • README.md discloses cnry init scaffolds .claude/.codex skills; code performs this only during init/skills commands, not install/import.
  • Telemetry has notice and disable paths via CANONRY_TELEMETRY_DISABLED, DO_NOT_TRACK, CI, and canonry telemetry disable.
  • Network endpoints are package-aligned: Canonry telemetry/update checks, npm registry, Google/OAuth/GA/GSC, Common Crawl, WordPress/Vercel/Cloud Run integrations.
  • MCP installer writes explicit canonry-mcp entries with backups/dry-run support; not hidden persistence.
  • No credential harvesting or exfiltration beyond user-configured provider/integration credentials for documented product features.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 4.37 MB of source, external domains: accounts.google.com, aistudio.google.com, analyticsdata.googleapis.com, api.ads.openai.com, api.deepinfra.com, api.perplexity.ai, bit.ly, brightkidsdental.com, businessprofileperformance.googleapis.com, canonry.ai, canonry.local, citypointdental.com, commoncrawl.org, console.cloud.google.com, console.developers.google.com, data.commoncrawl.org, developers.google.com, downtownsmiles.com, example.com, github.com, harbordental.com, hooks.example.com, indexing.googleapis.com, json-schema.org, logging.googleapis.com, mybusinessaccountmanagement.googleapis.com, mybusinessbusinessinformation.googleapis.com, mybusinesslodging.googleapis.com, oauth2.googleapis.com, openai.com, parkpediatricdental.com, places.googleapis.com, platform.claude.com, platform.openai.com, radix-ui.com, rdap.arin.net, react.dev, redacted.invalid, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, schema.org, searchconsole.googleapis.com, ssl.bing.com, support.google.com, vercel.com, www.bing.com, www.googleapis.com, www.npmjs.com, www.perplexity.ai

Source & flagged code

4 flagged · loading source
dist/chunk-45YSA7GH.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @canonry/canonry@4.107.0 matchedIdentity = npm:QGNhbm9ucnkvY2Fub25yeQ:4.107.0 similarity = 0.923 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-45YSA7GH.jsView on unpkg
25832// ../integration-commoncrawl/src/plugin-installer.ts L25833: import { spawn } from "child_process"; L25834: import fs4 from "fs/promises";
High
Child Process

Package source references child process execution.

dist/chunk-45YSA7GH.jsView on unpkg · L25832
dist/cli.jsView file
10348databasePath, L10349: apiUrl: env.apiUrl || existingConfig?.apiUrl || `http://localhost:${process.env.CANONRY_PORT || "4100"}`, L10350: providers: Object.keys(mergedProviders ?? {}), ... L10363: // src/commands/daemon.ts L10364: import { spawn } from "child_process"; L10365: import fs9 from "fs";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L10348
dist/chunk-EMG4LIUJ.jsView file
187var _require = createRequire(import.meta.url); L188: var { version: VERSION } = _require("../package.json"); L189: var TELEMETRY_ENDPOINT = "https://canonry.ai/api/telemetry"; L190: var TIMEOUT_MS = 3e3; ... L201: function isTelemetryEnabled() { L202: if (process.env.CANONRY_TELEMETRY_DISABLED === "1") return false; L203: if (process.env.DO_NOT_TRACK === "1") return false; L204: if (process.env.CI) return false; L205: if (!configExists()) return true; ... L243: try { L244: const hostname = os.hostname() || ""; L245: const mac = firstNonInternalMac();
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/chunk-EMG4LIUJ.jsView on unpkg · L187

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/chunk-45YSA7GH.js
HighChild Processdist/chunk-45YSA7GH.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighHost Fingerprint Exfiltrationdist/chunk-EMG4LIUJ.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings