registry  /  clew-code  /  0.4.9

clew-code@0.4.9

ClewCode — multi-provider AI coding agent CLI

AI Security Review

scanned 6h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs clew/clewcode or explicit installer/CLI subcommands
Impact
Dangerous capabilities can execute tools, manage MCP/plugin config, or bypass permissions when selected by the user, but no unconsented lifecycle hijack was found.
Mechanism
user-invoked AI-agent platform with runtime bootstrap and extension management
Rationale
Static inspection shows a powerful AI coding-agent package with risky user-invoked extension and permission features, but not concrete malicious behavior or lifecycle-triggered foreign agent control-surface mutation. The scanner's download/execute finding maps to a CLI-time Bun installer and explicit install scripts, not npm install-time payload execution.
Evidence
package.jsonbin/clew.cjsbin/claudevil.cjsscripts/install.shscripts/install.ps1dist/main.js~/.clewClaude/claude_desktop_config.json
Network endpoints5
bun.sh/installapi.clew-code.orgapi.anthropic.comapi.openai.com/v1github.com/ClewCode/ClewCode/issues

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/clew.cjs auto-installs Bun via curl|bash or PowerShell when the user runs clew without Bun.
  • dist/main.js exposes AI-agent capabilities: MCP server management, plugin marketplaces, hooks, remote control, and permission bypass modes.
  • dist/main.js can read Claude Desktop MCP config via the user-invoked add-from-claude-desktop command.
  • dist/main.js writes package-owned user config/state under ~/.clew, including plugins/keybindings/session state.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hook; prepublishOnly is publish-time only.
  • bin/claudevil.cjs and bin/clew.cjs launch packaged dist/main.js rather than fetching arbitrary package code.
  • scripts/install.sh and scripts/install.ps1 are explicit installer scripts, not npm lifecycle scripts.
  • No source evidence of credential harvesting, destructive behavior, persistence hooks, or unconsented writes to foreign AI-agent control surfaces at install time.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 33 file(s), 372 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cline.bot, api.deepseek.com, api.github.com, api.groq.com, api.kilo.ai, api.mistral.ai, api.openai.com, api.sakana.ai, api.x.ai, app.corridor.dev, bun.sh, claude.ai, code.claude.com, docs.expo.dev, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, github.com, mcp.sentry.dev, opencode.ai, openrouter.ai, router.huggingface.co, support.anthropic.com, www.schemastore.org
Oversized source lightweight scan
dist/main.js11.6 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.anthropic.comapi.cline.botapi.deepseek.comapi.groq.comapi.kilo.aiapi.mistral.aiapi.openai.comapi.sakana.aiapi.x.aiapp.corridor.devcode.claude.comdocs.expo.devgenerativelanguage.googleapis.comgithub.commcp.sentry.devopencode.aiopenrouter.airouter.huggingface.cowww.schemastore.org

Source & flagged code

7 flagged · loading source
bin/claudevil.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs');
High
Child Process

Package source references child process execution.

bin/claudevil.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/claudevil.cjsView on unpkg · L1
scripts/preload.tsView file
119const c = readFileSync(file, 'utf-8') L120: let m: RegExpExecArray | null L121: while ((m = typePattern.exec(c)) !== null) allTypes.push(m[2])
High
Shell

Package source references shell execution.

scripts/preload.tsView on unpkg · L119
bin/clew.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/clew.cjsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> bin/clew.cjs L1: #!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/clew.cjsView on unpkg · L1
scripts/install.shView file
path = scripts/install.sh kind = build_helper sizeBytes = 2837 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install.shView on unpkg
dist/main.jsView file
path = dist/main.js kind = oversized_source_file sizeBytes = 12205353 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/main.jsView on unpkg

Findings

2 Critical4 High5 Medium5 Low
CriticalDownload Executebin/clew.cjs
CriticalTrigger Reachable Dangerous Capabilitybin/clew.cjs
HighChild Processbin/claudevil.cjs
HighShellscripts/preload.ts
HighSandbox Evasion Gated Capabilitybin/claudevil.cjs
HighOversized Source Filedist/main.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/install.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings