registry  /  anyclaude-sdk  /  0.15.1

anyclaude-sdk@0.15.1

Standalone, browser-compatible SDK providing Claude Code agent capabilities (tools, tool loop, multi-turn, MCP, sub-agents, sessions) against any OpenAI/Anthropic-compatible LLM endpoint. Runs in the browser (WebContainer), Node, and Bun — no backend requ

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an agent SDK with user-invoked network, filesystem, shell, and MCP capabilities plus disclosed coarse telemetry/update checks.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing and calling SDK APIs such as query(), LocalSandbox, MCP, web_search, or web_fetch
Impact
No unconsented install-time mutation or exfiltration identified by static inspection
Mechanism
package-aligned SDK runtime capabilities and opt-out aggregate telemetry
Rationale
Static inspection shows potentially powerful APIs, but they are package-aligned and activated by user/runtime configuration rather than install-time or hidden behavior. Scanner flags for Trojan Source and persistence are explained by a BOM-tolerant regex and sandbox filesystem seeding, not attack code.
Evidence
package.jsondist/index.jsdist/query.jsdist/telemetry.jsdist/update.jsdist/skills/parse.jsdist/fs/linuxTree.jsdist/sandbox/local.jsdist/mcp/stdio.jsdist/tools/web_fetch.jsdist/tools/web_search.js/etc/hostname/etc/os-release/home/user/.bashrc
Network endpoints7
anyclaude-telemetry.puter.workregistry.npmjs.orgr.jina.ai/html.duckduckgo.com/html/?q=api.openai.com/v1api.anthropic.com/v1agentrouter.org/v1

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/query.js calls opt-out telemetry and update checks when query() runs
  • dist/sandbox/local.js exposes user-invoked local shell and filesystem methods
  • dist/mcp/stdio.js can spawn user-configured MCP server commands
  • dist/tools/web_fetch.js and dist/tools/web_search.js fetch via Jina/DuckDuckGo by explicit tool use
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build
  • dist/skills/parse.js only parses markdown frontmatter; scanner-highlighted character is an optional BOM in regex
  • dist/fs/linuxTree.js writes sandbox /etc files and .bashrc only through caller-provided virtual fs
  • dist/telemetry.js whitelists coarse fields and comments/README disclose no prompts, code, paths, keys, or endpoints
  • dist/update.js only reads npm latest version and never installs or mutates files
  • No credential harvesting, remote payload loading, persistence, destructive action, or AI-agent config hijack found
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 116 file(s), 436 KB of source, external domains: agentrouter.org, anyclaude-telemetry.puter.work, api.anthropic.com, api.openai.com, duckduckgo.com, github.com, html.duckduckgo.com, r.jina.ai, registry.npmjs.org, webcontainers.io

Source & flagged code

3 flagged · loading source
dist/fs/linuxTree.jsView file
27VERSION_ID="1.0" L28: HOME_URL="https://webcontainers.io" L29: `; ... L41: await fs.writeFile('/etc/os-release', OS_RELEASE); L42: await fs.writeFile(`${home}/.bashrc`, ''); L43: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/fs/linuxTree.jsView on unpkg · L27
dist/skills/parse.jsView file
3contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/skills/parse.jsView on unpkg · L3
Trigger-reachable chain: manifest.exports -> dist/skills/index.js -> dist/skills/parse.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/skills/parse.jsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/skills/parse.js
CriticalTrigger Reachable Dangerous Capabilitydist/skills/parse.js
MediumNetwork
MediumInstall Persistencedist/fs/linuxTree.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings