registry  /  @sanity/cli  /  7.9.0

@sanity/cli@7.9.0

Sanity CLI tool for managing Sanity projects and organizations

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `sanity mcp configure`, `sanity skills install`, or selects setup during interactive `sanity init`.
Impact
Enables the Sanity MCP endpoint and installs Sanity skills for selected/detected AI tools.
Mechanism
User-invoked AI-editor MCP configuration and global agent-skill installation.
Rationale
This is not malicious, but it has a real explicit-user-command AI-agent control-surface mutation capability. Per policy, retain it as a warning rather than block it.
Evidence
package.jsonbin/run.jsdist/actions/mcp/setupMCP.jsdist/actions/mcp/writeMCPConfig.jsdist/actions/skills/setupSkills.jsdist/util/update/fetchUpdateInfo.jsdist/commands/mcp/configure.jsdist/commands/skills/install.js
Network endpoints1
mcp.sanity.io

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `sanity mcp configure` detects AI editors and can write their MCP configuration.
  • `writeMCPConfig.js` creates parent directories and writes a `Sanity` server entry.
  • `sanity skills install` runs bundled `skills add sanity-io/agent-toolkit ... -g -y`.
  • MCP configuration targets `https://mcp.sanity.io` and may add a bearer token.
Evidence against
  • `package.json` has no preinstall/install/postinstall/prepare lifecycle hooks.
  • `bin/run.js` only enforces Node version then starts the Oclif CLI.
  • MCP setup prompts for editor selection unless explicitly run in auto mode.
  • Update checking only fetches package-version metadata in a detached worker.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 644 file(s), 1.34 MB of source, external domains: 192.168.1.1, admin.shopify.com, api.github.com, api.sanity.io, codeload.github.com, esbuild.github.io, example.com, github.com, high-traffic-site.com, mcp.sanity.io, myapp.com, nextjs.org, not.what-you-were-expecting.com, public.sanity.io, raw.githubusercontent.com, reference.sanity.io, sanity.io, sanity.work, sdk-explorer.sanity.io, some.host, www.sanity.io, www.some-malicious.site, www.w3.org

Source & flagged code

5 flagged · loading source
dist/util/update/updateChecker.jsView file
1import { spawn } from 'node:child_process'; L2: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

dist/util/update/updateChecker.jsView on unpkg · L1
dist/util/packageManager/installationInfo/detectGlobals.jsView file
1import path from 'node:path'; L2: import { execa } from 'execa'; L3: import which from 'which';
High
Shell

Package source references shell execution.

dist/util/packageManager/installationInfo/detectGlobals.jsView on unpkg · L1
dist/actions/manifest/writeWorkspaceFiles.jsView file
1import { createHash } from 'node:crypto'; L2: import { writeFile } from 'node:fs/promises';
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/actions/manifest/writeWorkspaceFiles.jsView on unpkg · L1
dist/commands/codemod.jsView file
118try { L119: const npxHelp = execSync('npx --help', { L120: encoding: 'utf8' ... L122: if (!npxHelp.includes('npm')) { L123: this.error('Not the npx we expected', { L124: exit: 1
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/codemod.jsView on unpkg · L118
bin/run.cmdView file
path = bin/run.cmd kind = build_helper sizeBytes = 31 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/run.cmdView on unpkg

Findings

3 High4 Medium6 Low
HighChild Processdist/util/update/updateChecker.js
HighShelldist/util/packageManager/installationInfo/detectGlobals.js
HighRuntime Package Installdist/commands/codemod.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/run.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/actions/manifest/writeWorkspaceFiles.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings