registry  /  @canonry/canonry  /  4.112.7

@canonry/canonry@4.112.7

Agent-first open-source AEO operating platform - track how answer engines cite your domain

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 4.39 MB of source, external domains: accounts.google.com, aistudio.google.com, analyticsdata.googleapis.com, api.ads.openai.com, api.deepinfra.com, api.perplexity.ai, bit.ly, brightkidsdental.com, businessprofileperformance.googleapis.com, canonry.ai, canonry.local, citypointdental.com, commoncrawl.org, console.cloud.google.com, console.developers.google.com, data.commoncrawl.org, developers.google.com, downtownsmiles.com, example.com, fonts.googleapis.com, github.com, harbordental.com, hooks.example.com, indexing.googleapis.com, json-schema.org, logging.googleapis.com, mybusinessaccountmanagement.googleapis.com, mybusinessbusinessinformation.googleapis.com, mybusinesslodging.googleapis.com, oauth2.googleapis.com, openai.com, parkpediatricdental.com, places.googleapis.com, platform.claude.com, platform.openai.com, radix-ui.com, rdap.arin.net, react.dev, redacted.invalid, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, schema.org, searchconsole.googleapis.com, ssl.bing.com, support.google.com, vercel.com, www.bing.com, www.googleapis.com, www.npmjs.com

Source & flagged code

3 flagged · loading source
dist/chunk-D5PEINWZ.jsView file
25881// ../integration-commoncrawl/src/plugin-installer.ts L25882: import { spawn } from "child_process"; L25883: import fs4 from "fs/promises";
High
Child Process

Package source references child process execution.

dist/chunk-D5PEINWZ.jsView on unpkg · L25881
dist/cli.jsView file
10651databasePath, L10652: apiUrl: env.apiUrl || existingConfig?.apiUrl || `http://localhost:${process.env.CANONRY_PORT || "4100"}`, L10653: providers: Object.keys(mergedProviders ?? {}), ... L10666: // src/commands/daemon.ts L10667: import { spawn } from "child_process"; L10668: import fs10 from "fs";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L10651
dist/chunk-FVELOZTK.jsView file
187var _require = createRequire(import.meta.url); L188: var { version: VERSION } = _require("../package.json"); L189: var TELEMETRY_ENDPOINT = "https://canonry.ai/api/telemetry"; L190: var TIMEOUT_MS = 3e3; ... L201: function isTelemetryEnabled() { L202: if (process.env.CANONRY_TELEMETRY_DISABLED === "1") return false; L203: if (process.env.DO_NOT_TRACK === "1") return false; L204: if (process.env.CI) return false; L205: if (!configExists()) return true; ... L243: try { L244: const hostname = os.hostname() || ""; L245: const mac = firstNonInternalMac();
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/chunk-FVELOZTK.jsView on unpkg · L187

Findings

4 High4 Medium6 Low
HighChild Processdist/chunk-D5PEINWZ.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighHost Fingerprint Exfiltrationdist/chunk-FVELOZTK.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings