registry  /  anyclaude-sdk  /  0.14.8

anyclaude-sdk@0.14.8

Standalone, browser-compatible SDK providing Claude Code agent capabilities (tools, tool loop, multi-turn, MCP, sub-agents, sessions) against any OpenAI/Anthropic-compatible LLM endpoint. Runs in the browser (WebContainer), Node, and Bun — no backend requ

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package exposes SDK features for LLM calls, web fetch/search, local sandbox execution, MCP subprocesses, telemetry, and update checks, all activated by consumer API use rather than npm install hooks.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports SDK APIs and explicitly calls query/client/tool/sandbox/MCP/update/telemetry functions.
Impact
User-invoked agent tooling can access configured workspaces or endpoints, but no unconsented install-time behavior or exfiltration chain was found.
Mechanism
Package-aligned SDK network, filesystem, and subprocess capabilities
Rationale
Scanner findings map to legitimate SDK primitives: telemetry/update checks are bounded and opt-out, filesystem writes target caller-supplied sandboxes, and subprocess/network capabilities require explicit API use. There is no lifecycle hook abuse, credential harvesting, persistence, destructive behavior, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/skills/parse.jsdist/fs/linuxTree.jsdist/telemetry.jsdist/update.jsdist/mcp/stdio.jsdist/sandbox/local.jsdist/tools/web_search.jsdist/tools/web_fetch.jsdist/llm/openai.jsdist/llm/anthropic.js
Network endpoints7
anyclaude-telemetry.puter.workregistry.npmjs.orgr.jina.ai/html.duckduckgo.com/html/?q=api.openai.com/v1api.anthropic.com/v1agentrouter.org/v1

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/telemetry.js has opt-out telemetry POSTs to https://anyclaude-telemetry.puter.work when track() is used.
  • dist/update.js can check https://registry.npmjs.org for package updates when checkForUpdate()/notifyIfOutdated() is called.
  • dist/mcp/stdio.js and dist/sandbox/local.js expose user-configured child_process spawn/exec capabilities.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly builds before publishing.
  • dist/index.js is a barrel export and does not perform install-time or import-time mutation.
  • dist/skills/parse.js only parses markdown frontmatter; the flagged invisible char is a BOM match in a regex, not bidi control flow.
  • dist/fs/linuxTree.js writes /etc and .bashrc only into the caller-provided FileSystem sandbox.
  • Network code is package-aligned LLM, MCP, web_search/web_fetch, telemetry, and update-check functionality.
  • No credential harvesting, remote payload loading, destructive persistence, or AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 116 file(s), 434 KB of source, external domains: agentrouter.org, anyclaude-telemetry.puter.work, api.anthropic.com, api.openai.com, duckduckgo.com, github.com, html.duckduckgo.com, r.jina.ai, registry.npmjs.org, webcontainers.io

Source & flagged code

3 flagged · loading source
dist/fs/linuxTree.jsView file
27VERSION_ID="1.0" L28: HOME_URL="https://webcontainers.io" L29: `; ... L41: await fs.writeFile('/etc/os-release', OS_RELEASE); L42: await fs.writeFile(`${home}/.bashrc`, ''); L43: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/fs/linuxTree.jsView on unpkg · L27
dist/skills/parse.jsView file
3contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/skills/parse.jsView on unpkg · L3
Trigger-reachable chain: manifest.exports -> dist/skills/index.js -> dist/skills/parse.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/skills/parse.jsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/skills/parse.js
CriticalTrigger Reachable Dangerous Capabilitydist/skills/parse.js
MediumNetwork
MediumInstall Persistencedist/fs/linuxTree.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings