registry  /  clawnify  /  0.10.0

clawnify@0.10.0

Deploy your apps and website to Clawnify from the terminal with Claude Code, Codex, and Cursor

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `clawnify ai-files install` can add Clawnify instructions, skills, and an MCP server entry to the current project. Explicit `clawnify execute` forwards provided code to Clawnify's authenticated remote MCP service. No install-time execution or unconsented broad agent-control mutation is present.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `clawnify ai-files install`, `clawnify execute`, deploy, or other CLI commands.
Impact
A user who opts in can alter current-project agent configuration and submit selected code/project archives to Clawnify services.
Mechanism
User-invoked project agent setup and authenticated remote platform operations.
Rationale
Source inspection found no concrete malicious chain, install-time behavior, credential theft, or stealth persistence. Policy classifies the explicit first-party agent extension lifecycle as warn-level risk rather than a publish-blocking attack.
Evidence
package.jsondist/index.jsdist/chunk-S2EOEZO7.jsdist/cli-BBJGGLQP.jsdist/mcp-OSFATJGC.js.mcp.jsonAGENTS.mdCLAUDE.md.cursorrulesCONVENTIONS.md.claude/skills.codex/skills.cursor/rules.openclaw/skills
Network endpoints4
auth.clawnify.comprovision.clawnify.commcp.clawnify.com/mcpclawnify-mcp-docs.workers.dev

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli-BBJGGLQP.js` implements `ai-files install`, which writes agent rules, skills, and `.mcp.json`.
  • The installed MCP entry runs `npx clawnify --mcp`, extending detected Claude/Cursor/Codex-style project agents.
  • `execute` sends user-supplied or user-selected TypeScript source to authenticated `mcp.clawnify.com`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • `dist/index.js` only imports CLI/MCP modules after a user invokes the bin.
  • Agent-file mutation is limited to explicit `ai-files install`/`uninstall` commands in the current project.
  • Auth tokens are used for the package's OAuth/API hosts; no unrelated credential harvesting or exfiltration path was found.
  • Subprocess use is user-invoked Git, Vite, Wrangler, and Drizzle tooling; no hidden payload execution was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 4 file(s), 188 KB of source, external domains: 127.0.0.1, app.clawnify.com, auth.clawnify.com, clawnify-mcp-docs.workers.dev, docs.astro.build, github.com, mcp.clawnify.com, nodejs.org, provision.clawnify.com, services.clawnify.com

Source & flagged code

4 flagged · loading source
dist/cli-BBJGGLQP.jsView file
27import crypto from "crypto"; L28: import http from "http"; L29: import readline from "readline"; ... L43: "Access-Control-Allow-Methods": "GET, OPTIONS", L44: "Access-Control-Allow-Private-Network": "true" L45: }; ... L47: res.writeHead(204, corsHeaders); L48: res.end(); L49: return; ... L100: input: process.stdin, L101: output: process.stdout L102: });
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli-BBJGGLQP.jsView on unpkg · L27
27Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/cli-BBJGGLQP.js L27: import crypto from "crypto"; L28: import http from "http"; L29: import readline from "readline"; ... L43: "Access-Control-Allow-Methods": "GET, OPTIONS", L44: "Access-Control-Allow-Private-Network": "true" L45: }; ... L47: res.writeHead(204, corsHeaders); L48: res.end(); L49: return; ... L100: input: process.stdin, L101: output: process.stdout L102: });
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli-BBJGGLQP.jsView on unpkg · L27
178import readline2 from "readline"; L179: import { spawn } from "child_process"; L180:
High
Child Process

Package source references child process execution.

dist/cli-BBJGGLQP.jsView on unpkg · L178
797await new Promise((resolve) => { L798: const proc = spawn("npx", ["drizzle-kit", "generate"], { L799: cwd: resolvedDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli-BBJGGLQP.jsView on unpkg · L797

Findings

2 Critical3 High3 Medium5 Low
CriticalCredential Exfiltrationdist/cli-BBJGGLQP.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli-BBJGGLQP.js
HighChild Processdist/cli-BBJGGLQP.js
HighShell
HighRuntime Package Installdist/cli-BBJGGLQP.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License