registry  /  @sanity/cli  /  7.7.1

@sanity/cli@7.7.1

Sanity CLI tool for managing Sanity projects and organizations

AI Security Review

scanned 7d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package includes user-invoked Sanity MCP and agent-skill setup that can mutate AI editor configuration. This is a guarded first-party integration path rather than install-time hijacking or malware.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs Sanity CLI init/MCP/skills setup flows and accepts or uses auto setup options.
Impact
AI editors may be configured to use Sanity MCP and Sanity skills; no confirmed malicious execution or exfiltration chain was found.
Mechanism
writes Sanity MCP entries and invokes bundled skills CLI for selected agents
Rationale
Source inspection shows no install-time execution, hidden persistence, credential harvesting, destructive behavior, or foreign AI-agent hijack. The broad AI editor configuration writes are real but user-invoked and package-aligned, so they warrant warning rather than blocking.
Evidence
package.jsonbin/run.jsdist/actions/mcp/writeMCPConfig.jsdist/actions/mcp/setupMCP.jsdist/actions/mcp/editorConfigs.jsdist/actions/skills/setupSkills.jsdist/services/mcp.jsdist/util/update/updateChecker.jsdist/commands/codemod.js~/.codex/config.toml~/.claude.json~/.cursor/mcp.json~/.gemini/settings.json~/.copilot/mcp-config.json~/.config/opencode/opencode.json~/.config/zed/settings.json~/.agents/skills~/.claude/skills
Network endpoints1
mcp.sanity.io

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/actions/mcp/writeMCPConfig.js writes Sanity MCP server entries into detected editor config files
  • dist/actions/mcp/editorConfigs.js targets broad AI editor config paths including Codex, Claude Code, Cursor, VS Code, Cline, Gemini CLI, Copilot, OpenCode, Zed
  • dist/actions/skills/setupSkills.js can run bundled skills CLI to globally add Sanity skills for selected agents
  • dist/services/mcp.js creates/validates Sanity MCP tokens and exposes https://mcp.sanity.io
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin/run.js only checks Node version then invokes oclif CLI
  • MCP and skills setup is reached through CLI init/setup flows, prompts or explicit/auto init options, not import/install time
  • dist/util/update/updateChecker.js spawns only a local worker to fetch latest package version and cache it
  • dist/commands/codemod.js runs npx jscodeshift only when the codemod command is invoked
  • No credential harvesting, destructive behavior, remote payload execution, or non-Sanity exfiltration found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 642 file(s), 1.32 MB of source, external domains: 192.168.1.1, admin.shopify.com, api.github.com, api.sanity.io, codeload.github.com, esbuild.github.io, example.com, github.com, high-traffic-site.com, mcp.sanity.io, myapp.com, nextjs.org, not.what-you-were-expecting.com, public.sanity.io, raw.githubusercontent.com, reference.sanity.io, sanity.io, sanity.work, sdk-explorer.sanity.io, some.host, www.sanity.io, www.some-malicious.site, www.w3.org

Source & flagged code

5 flagged · loading source
dist/util/update/updateChecker.jsView file
1import { spawn } from 'node:child_process'; L2: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

dist/util/update/updateChecker.jsView on unpkg · L1
dist/util/packageManager/installationInfo/detectGlobals.jsView file
1import path from 'node:path'; L2: import { execa } from 'execa'; L3: import which from 'which';
High
Shell

Package source references shell execution.

dist/util/packageManager/installationInfo/detectGlobals.jsView on unpkg · L1
dist/actions/manifest/writeWorkspaceFiles.jsView file
1import { createHash } from 'node:crypto'; L2: import { writeFile } from 'node:fs/promises';
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/actions/manifest/writeWorkspaceFiles.jsView on unpkg · L1
dist/commands/codemod.jsView file
118try { L119: const npxHelp = execSync('npx --help', { L120: encoding: 'utf8' ... L122: if (!npxHelp.includes('npm')) { L123: this.error('Not the npx we expected', { L124: exit: 1
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/codemod.jsView on unpkg · L118
bin/run.cmdView file
path = bin/run.cmd kind = build_helper sizeBytes = 31 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/run.cmdView on unpkg

Findings

3 High4 Medium6 Low
HighChild Processdist/util/update/updateChecker.js
HighShelldist/util/packageManager/installationInfo/detectGlobals.js
HighRuntime Package Installdist/commands/codemod.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/run.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/actions/manifest/writeWorkspaceFiles.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings