AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is an AI agent SDK with expected user-invoked LLM, web, filesystem, sandbox, telemetry, update-check, and MCP capabilities.
Decision evidence
public snapshot- dist/telemetry.js posts opt-out coarse usage events to https://anyclaude-telemetry.puter.work during query() use
- dist/update.js can fetch https://registry.npmjs.org/<pkg>/latest when query() runs
- dist/sandbox/local.js and dist/mcp/stdio.js expose user-configured child_process execution capabilities
- dist/tools/web_fetch.js and dist/tools/web_search.js expose user-invoked network tools via r.jina.ai
- package.json has no preinstall/install/postinstall hook; only prepublishOnly build script
- dist/index.js is an export barrel with no import-time execution beyond module exports
- dist/skills/parse.js only parses frontmatter; scanner unicode hit is a BOM-tolerant regex, not Trojan Source logic
- dist/fs/linuxTree.js writes only sandbox filesystem seed files such as /etc/hostname and /etc/os-release when called
- dist/telemetry.js allowlists fields and explicitly excludes prompts, paths, code, API keys, endpoints, and repo data
- Network and shell/file primitives are package-aligned SDK features invoked by host code or agent tools, not hidden install-time behavior
Source & flagged code
3 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
dist/fs/linuxTree.jsView on unpkg · L27Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/skills/parse.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/skills/parse.jsView on unpkg