registry  /  clew-code  /  0.4.3

clew-code@0.4.3

ClewCode — multi-provider AI coding agent CLI

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by source inspection. Risky primitives are part of an AI coding agent and installer/runtime bootstrap, not unconsented npm install-time behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs clew/clewcode or explicit install/helper scripts.
Impact
No confirmed credential exfiltration, persistence, destructive action, or lifecycle control-surface mutation.
Mechanism
User-invoked Bun launcher and AI coding-agent runtime.
Rationale
The scanner's download/execute finding is real but source-grounded to a user-invoked Bun bootstrap, not npm lifecycle execution or covert payload execution. The remaining dangerous capabilities match a full AI coding CLI and are gated by runtime use, configuration, or prompts.
Evidence
package.jsonbin/clew.cjsbin/claudevil.cjsdist/main.jsscripts/install.shscripts/install.ps1scripts/preload.ts
Network endpoints7
bun.sh/installbun.sh/install.ps1api.anthropic.comapi.openai.com/v1api.clew-code.orgapi.github.comlocalhost:11434

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/clew.cjs auto-installs Bun on CLI run using curl|bash or PowerShell if bun is missing.
  • dist/main.js is a large bundled AI coding agent with shell, MCP, provider API, telemetry, and remote-session features.
  • scripts/install.sh and scripts/install.ps1 install Bun and globally install clew-code when explicitly run.
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly is publisher-side only.
  • Declared bin entrypoints only launch bundled dist/main.js via Bun with user CLI args.
  • Network endpoints in dist/main.js are aligned with AI providers, auth, telemetry, local callbacks, peer/LAN features, or documented installer behavior.
  • Credential env vars/API keys are used for configured providers and GitHub maintenance scripts, not harvested at install/import time.
  • MCP/project trust dialogs and dangerous development channels require runtime user interaction or explicit CLI flags.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 33 file(s), 372 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cline.bot, api.deepseek.com, api.github.com, api.groq.com, api.kilo.ai, api.mistral.ai, api.openai.com, api.sakana.ai, api.x.ai, app.corridor.dev, bun.sh, claude.ai, cloudcode-pa.googleapis.com, code.claude.com, docs.expo.dev, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, github.com, mcp.sentry.dev, opencode.ai, openrouter.ai, support.anthropic.com, www.schemastore.org
Oversized source lightweight scan
dist/main.js11.6 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.anthropic.comapi.cline.botapi.deepseek.comapi.groq.comapi.kilo.aiapi.mistral.aiapi.openai.comapi.sakana.aiapi.x.aiapp.corridor.devcloudcode-pa.googleapis.comcode.claude.comdocs.expo.devgenerativelanguage.googleapis.comgithub.commcp.sentry.devopencode.aiopenrouter.aiwww.schemastore.org

Source & flagged code

7 flagged · loading source
bin/claudevil.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs');
High
Child Process

Package source references child process execution.

bin/claudevil.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/claudevil.cjsView on unpkg · L1
scripts/preload.tsView file
119const c = readFileSync(file, 'utf-8') L120: let m: RegExpExecArray | null L121: while ((m = typePattern.exec(c)) !== null) allTypes.push(m[2])
High
Shell

Package source references shell execution.

scripts/preload.tsView on unpkg · L119
bin/clew.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/clew.cjsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> bin/clew.cjs L1: #!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/clew.cjsView on unpkg · L1
scripts/install.shView file
path = scripts/install.sh kind = build_helper sizeBytes = 2837 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install.shView on unpkg
dist/main.jsView file
path = dist/main.js kind = oversized_source_file sizeBytes = 12163200 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/main.jsView on unpkg

Findings

2 Critical4 High5 Medium5 Low
CriticalDownload Executebin/clew.cjs
CriticalTrigger Reachable Dangerous Capabilitybin/clew.cjs
HighChild Processbin/claudevil.cjs
HighShellscripts/preload.ts
HighSandbox Evasion Gated Capabilitybin/claudevil.cjs
HighOversized Source Filedist/main.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/install.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings