registry  /  anyclaude-sdk  /  0.14.9

anyclaude-sdk@0.14.9

Standalone, browser-compatible SDK providing Claude Code agent capabilities (tools, tool loop, multi-turn, MCP, sub-agents, sessions) against any OpenAI/Anthropic-compatible LLM endpoint. Runs in the browser (WebContainer), Node, and Bun — no backend requ

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are SDK capabilities that require explicit host-app or user invocation, with no install-time or import-time execution path.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit runtime use of SDK APIs such as query(), tools, MCP, telemetry, update check, or sandbox adapters.
Impact
No unconsented persistence, credential harvesting, exfiltration, or foreign AI-agent control-surface mutation identified.
Mechanism
user-invoked AI agent SDK capabilities
Rationale
Static inspection shows no install/import execution and no concrete malicious chain; scanner findings map to documented SDK functions and virtual sandbox setup. Telemetry/update/network/shell/file primitives are user-invoked and package-aligned rather than stealthy exfiltration or persistence.
Evidence
package.jsondist/index.jsdist/skills/parse.jsdist/fs/linuxTree.jsdist/telemetry.jsdist/update.jsdist/mcp/stdio.jsdist/mcp/client.jsdist/sandbox/local.jsdist/tools/bash.jsdist/tools/write_file.jsdist/tools/delete_file.js

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/telemetry.js has opt-out telemetry to https://anyclaude-telemetry.puter.work when track() is called, but allowlists coarse props.
  • dist/tools/bash.js, dist/tools/write_file.js, and dist/tools/delete_file.js expose agent tools capable of shell/file mutation when a host app enables them.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly builds before publishing.
  • dist/index.js is a barrel export; import does not execute network, shell, or filesystem mutation logic.
  • dist/skills/parse.js Trojan Source hint is a BOM-tolerant frontmatter regex, not hidden control-flow behavior.
  • dist/fs/linuxTree.js writes only to a caller-provided virtual fs to seed sandbox paths like /etc/hostname and /home/user/.bashrc.
  • dist/mcp/stdio.js and dist/sandbox/local.js lazily import child_process and run only when explicitly configured/used.
  • Network clients in dist/llm, dist/mcp, dist/update.js, and web tools are package-aligned SDK features, not install-time exfiltration.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 116 file(s), 435 KB of source, external domains: agentrouter.org, anyclaude-telemetry.puter.work, api.anthropic.com, api.openai.com, duckduckgo.com, github.com, html.duckduckgo.com, r.jina.ai, registry.npmjs.org, webcontainers.io

Source & flagged code

3 flagged · loading source
dist/fs/linuxTree.jsView file
27VERSION_ID="1.0" L28: HOME_URL="https://webcontainers.io" L29: `; ... L41: await fs.writeFile('/etc/os-release', OS_RELEASE); L42: await fs.writeFile(`${home}/.bashrc`, ''); L43: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/fs/linuxTree.jsView on unpkg · L27
dist/skills/parse.jsView file
3contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/skills/parse.jsView on unpkg · L3
Trigger-reachable chain: manifest.exports -> dist/skills/index.js -> dist/skills/parse.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/skills/parse.jsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/skills/parse.js
CriticalTrigger Reachable Dangerous Capabilitydist/skills/parse.js
MediumNetwork
MediumInstall Persistencedist/fs/linuxTree.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings