registry  /  anyclaude-sdk  /  0.14.7

anyclaude-sdk@0.14.7

Standalone, browser-compatible SDK providing Claude Code agent capabilities (tools, tool loop, multi-turn, MCP, sub-agents, sessions) against any OpenAI/Anthropic-compatible LLM endpoint. Runs in the browser (WebContainer), Node, and Bun — no backend requ

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is an AI agent SDK with expected user-invoked LLM, web, filesystem, sandbox, telemetry, update-check, and MCP capabilities.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Host application calls exported SDK functions such as query(), sandbox/tool APIs, telemetry, update check, or MCP client.
Impact
Runtime network/file/shell activity depends on the host application's chosen tools and configuration; no concrete malicious behavior identified.
Mechanism
Package-aligned exported SDK capabilities; no hidden install-time mutation or exfiltration observed.
Rationale
Static inspection found no lifecycle install hook, no import-time payload, no credential harvesting, and no unconsented AI-agent control-surface mutation. The flagged primitives are expected SDK functionality and are either opt-out telemetry/update checks or user/host-invoked agent tools.
Evidence
package.jsondist/index.jsdist/query.jsdist/telemetry.jsdist/update.jsdist/skills/parse.jsdist/fs/linuxTree.jsdist/sandbox/local.jsdist/mcp/stdio.jsdist/tools/web_fetch.jsdist/tools/web_search.js/etc/hostname/etc/os-release/home/user/.bashrc
Network endpoints7
anyclaude-telemetry.puter.workregistry.npmjs.orgapi.openai.com/v1api.anthropic.com/v1agentrouter.org/v1r.jina.ai/html.duckduckgo.com/html/?q=

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/telemetry.js posts opt-out coarse usage events to https://anyclaude-telemetry.puter.work during query() use
  • dist/update.js can fetch https://registry.npmjs.org/<pkg>/latest when query() runs
  • dist/sandbox/local.js and dist/mcp/stdio.js expose user-configured child_process execution capabilities
  • dist/tools/web_fetch.js and dist/tools/web_search.js expose user-invoked network tools via r.jina.ai
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build script
  • dist/index.js is an export barrel with no import-time execution beyond module exports
  • dist/skills/parse.js only parses frontmatter; scanner unicode hit is a BOM-tolerant regex, not Trojan Source logic
  • dist/fs/linuxTree.js writes only sandbox filesystem seed files such as /etc/hostname and /etc/os-release when called
  • dist/telemetry.js allowlists fields and explicitly excludes prompts, paths, code, API keys, endpoints, and repo data
  • Network and shell/file primitives are package-aligned SDK features invoked by host code or agent tools, not hidden install-time behavior
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 116 file(s), 432 KB of source, external domains: agentrouter.org, anyclaude-telemetry.puter.work, api.anthropic.com, api.openai.com, duckduckgo.com, github.com, html.duckduckgo.com, r.jina.ai, registry.npmjs.org, webcontainers.io

Source & flagged code

3 flagged · loading source
dist/fs/linuxTree.jsView file
27VERSION_ID="1.0" L28: HOME_URL="https://webcontainers.io" L29: `; ... L41: await fs.writeFile('/etc/os-release', OS_RELEASE); L42: await fs.writeFile(`${home}/.bashrc`, ''); L43: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/fs/linuxTree.jsView on unpkg · L27
dist/skills/parse.jsView file
3contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/skills/parse.jsView on unpkg · L3
Trigger-reachable chain: manifest.exports -> dist/skills/index.js -> dist/skills/parse.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/skills/parse.jsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/skills/parse.js
CriticalTrigger Reachable Dangerous Capabilitydist/skills/parse.js
MediumNetwork
MediumInstall Persistencedist/fs/linuxTree.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings