AI Security Review
scanned 2h ago · by lpm-firewall-aiNormal CLI invocation sends package-aligned telemetry by default. The telemetry identifier can be deterministically derived from local hostname and MAC address when no configured identifier exists.
Decision evidence
public snapshot- `dist/chunk-GV665WOU.js` derives an anonymous ID from hostname and a non-internal MAC address when no stored ID exists.
- `dist/chunk-GV665WOU.js` POSTs telemetry to `https://canonry.ai/api/telemetry` with that ID, OS, architecture, Node version, and command properties.
- `dist/cli.js` invokes telemetry for normal CLI commands unless disabled.
- `package.json` contains no preinstall, install, or postinstall lifecycle hook.
- `bin/canonry.mjs` and `bin/canonry-mcp.mjs` only dynamically import their CLI/MCP entrypoints after explicit execution.
- `dist/cli.js` MCP and skills writes are tied to explicit `mcp install`, `skills install`, or `init` commands, with backup/dry-run support.
- Child-process use opens an OAuth URL, starts this package's server daemon, or installs the optional CommonCrawl DuckDB plugin.
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-WEAXJ25Y.jsView on unpkgPackage source references child process execution.
dist/chunk-WEAXJ25Y.jsView on unpkg · L26301A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L10699Source collects local host identity data and sends it to an external endpoint.
dist/chunk-GV665WOU.jsView on unpkg · L187