registry  /  anyclaude-sdk  /  0.15.0

anyclaude-sdk@0.15.0

Standalone, browser-compatible SDK providing Claude Code agent capabilities (tools, tool loop, multi-turn, MCP, sub-agents, sessions) against any OpenAI/Anthropic-compatible LLM endpoint. Runs in the browser (WebContainer), Node, and Bun — no backend requ

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package provides an AI agent SDK with user-invoked LLM, web, shell, filesystem, MCP, telemetry, and update-check features that align with its stated purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the SDK and calls query(), agent tools, sandbox, MCP, telemetry, update, or LLM helper APIs.
Impact
No evidence of credential harvesting, destructive behavior, install-time persistence, remote payload execution, or unconsented AI-agent control-surface mutation.
Mechanism
Package-aligned SDK capabilities with opt-out telemetry and user-supplied execution contexts.
Rationale
Static inspection shows potentially powerful agent and sandbox primitives, but they are exported SDK features or query-time telemetry/update behavior rather than install-time or import-time attack code. No source evidence shows secret exfiltration, stealth persistence, destructive actions, or unauthorized mutation of a foreign AI-agent control surface.
Evidence
package.jsondist/index.jsdist/query.jsdist/telemetry.jsdist/update.jsdist/fs/linuxTree.jsdist/skills/parse.jsdist/tools/bash.jsdist/sandbox/local.jsdist/mcp/stdio.js/etc/hostname/etc/os-release/home/user/.bashrc
Network endpoints7
anyclaude-telemetry.puter.workregistry.npmjs.orgapi.anthropic.com/v1api.openai.com/v1agentrouter.org/v1r.jina.ai/html.duckduckgo.com/html/?q=

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/query.js calls opt-out telemetry and update checks when query() is invoked.
  • dist/telemetry.js posts coarse SDK usage to https://anyclaude-telemetry.puter.work by default.
  • dist/tools/bash.js, dist/sandbox/local.js, and dist/mcp/stdio.js expose user-invoked shell/MCP process execution capabilities.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script.
  • dist/index.js is a barrel export and does not execute package logic on import.
  • dist/telemetry.js allowlists coarse fields and explicitly drops prompts, paths, keys, endpoints, and source content.
  • dist/update.js only fetches package metadata from https://registry.npmjs.org and never installs.
  • dist/fs/linuxTree.js seeds a provided filesystem abstraction with sandbox-like Linux paths, not host persistence.
  • dist/skills/parse.js contains a BOM-tolerant regex, not hidden control-flow or executable payload.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 116 file(s), 436 KB of source, external domains: agentrouter.org, anyclaude-telemetry.puter.work, api.anthropic.com, api.openai.com, duckduckgo.com, github.com, html.duckduckgo.com, r.jina.ai, registry.npmjs.org, webcontainers.io

Source & flagged code

3 flagged · loading source
dist/fs/linuxTree.jsView file
27VERSION_ID="1.0" L28: HOME_URL="https://webcontainers.io" L29: `; ... L41: await fs.writeFile('/etc/os-release', OS_RELEASE); L42: await fs.writeFile(`${home}/.bashrc`, ''); L43: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/fs/linuxTree.jsView on unpkg · L27
dist/skills/parse.jsView file
3contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/skills/parse.jsView on unpkg · L3
Trigger-reachable chain: manifest.exports -> dist/skills/index.js -> dist/skills/parse.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/skills/parse.jsView on unpkg

Findings

2 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/skills/parse.js
CriticalTrigger Reachable Dangerous Capabilitydist/skills/parse.js
MediumNetwork
MediumInstall Persistencedist/fs/linuxTree.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings