registry  /  anyclaude-sdk  /  0.14.6

anyclaude-sdk@0.14.6

Standalone, browser-compatible SDK providing Claude Code agent capabilities (tools, tool loop, multi-turn, MCP, sub-agents, sessions) against any OpenAI/Anthropic-compatible LLM endpoint. Runs in the browser (WebContainer), Node, and Bun — no backend requ

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package contains user-invoked SDK capabilities for LLM calls, sandbox file operations, shell execution, web fetch/search, telemetry, and update checks, all aligned with the package purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit import and user/runtime calls to SDK APIs such as query(), tools, telemetry track(), or update check helpers.
Impact
No install-time compromise or hidden exfiltration identified; runtime impact depends on host-selected tools, workspace, permissions, and configured LLM endpoints.
Mechanism
User-invoked agent SDK capabilities and opt-out metadata telemetry.
Rationale
Static inspection shows potentially powerful agent features, network clients, telemetry, and update checking, but they are package-aligned and activated by explicit runtime use rather than install/import-time stealth behavior. Scanner findings for Trojan Source and persistence appear to be false positives: a BOM-aware regex and virtual sandbox filesystem seeding.
Evidence
package.jsondist/index.jsdist/skills/parse.jsdist/fs/linuxTree.jsdist/telemetry.jsdist/update.jsdist/tools/bash.jsdist/tools/web_fetch.jsdist/tools/web_search.jsdist/sandbox/local.js/etc/hostname/etc/os-release/home/user/.bashrc
Network endpoints7
anyclaude-telemetry.puter.workregistry.npmjs.orgapi.openai.com/v1api.anthropic.com/v1agentrouter.org/v1r.jina.ai/html.duckduckgo.com/html/?q=

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/telemetry.js defines opt-out telemetry to https://anyclaude-telemetry.puter.work with a generated install id when track() is called.
  • dist/update.js can fetch https://registry.npmjs.org/<pkg>/latest when checkForUpdate()/notifyIfOutdated() is called.
  • dist/tools/bash.js, write_file.js, delete_file.js expose agent tools that can execute commands or modify workspace files when host supplies ctx.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build script is publisher-side.
  • dist/index.js is a barrel of exports; no top-level execution beyond imports/exports observed.
  • dist/skills/parse.js scanner hit is a UTF-8 BOM allowance in a frontmatter regex, not bidi Trojan Source logic.
  • dist/fs/linuxTree.js only seeds a provided virtual fs with sandbox paths and empty .bashrc when seedLinuxTree(fs) is explicitly called.
  • Network clients in dist/llm/*.js and dist/tools/web_*.js use user/configured endpoints for SDK functionality, not hidden exfiltration.
  • No native binaries, executable payloads, broad AI-agent config mutation, or install-time persistence found.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 116 file(s), 430 KB of source, external domains: agentrouter.org, anyclaude-telemetry.puter.work, api.anthropic.com, api.openai.com, duckduckgo.com, github.com, html.duckduckgo.com, r.jina.ai, registry.npmjs.org, webcontainers.io

Source & flagged code

3 flagged · loading source
dist/fs/linuxTree.jsView file
27VERSION_ID="1.0" L28: HOME_URL="https://webcontainers.io" L29: `; ... L41: await fs.writeFile('/etc/os-release', OS_RELEASE); L42: await fs.writeFile(`${home}/.bashrc`, ''); L43: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/fs/linuxTree.jsView on unpkg · L27
dist/skills/parse.jsView file
3contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/skills/parse.jsView on unpkg · L3
Trigger-reachable chain: manifest.exports -> dist/skills/index.js -> dist/skills/parse.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/skills/parse.jsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/skills/parse.js
CriticalTrigger Reachable Dangerous Capabilitydist/skills/parse.js
MediumNetwork
MediumInstall Persistencedist/fs/linuxTree.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings