registry  /  clew-code  /  0.4.6

clew-code@0.4.6

ClewCode — multi-provider AI coding agent CLI

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The notable risk is user-invoked runtime bootstrapping of Bun and an expected AI coding-agent CLI with shell, network, MCP, and plugin features.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs clew/clewcode or explicit installer scripts.
Impact
Can download/install Bun and run an AI coding CLI, but this is package-aligned and not install-time or covert behavior.
Mechanism
User-invoked Bun launcher and AI coding-agent runtime.
Rationale
Scanner download_execute findings are real but tied to user-invoked Bun bootstrapping for a Bun-based CLI, not npm install-time compromise or covert payload execution. The bundled network, shell, token, MCP, and plugin features match the advertised AI coding-agent function and no concrete exfiltration or persistence path was confirmed.
Evidence
package.jsonbin/clew.cjsbin/claudevil.cjsscripts/install.shscripts/install.ps1scripts/preload.tsdist/main.jsREADME.mdbin/clew.cjs executes dist/main.js via bunbin/clew.cjs may install ~/.bun via bun.sh when bun is absentscripts/install.sh may run bun install -g clew-code --ignore-scriptsscripts/install.ps1 may run bun install -g clew-code --ignore-scripts
Network endpoints12
bun.sh/installbun.sh/install.ps1github.com/ClewCode/ClewCode/issuesapi.openai.com/v1generativelanguage.googleapis.com/v1beta/openaicloudcode-pa.googleapis.com/v1internalopenrouter.ai/api/v1api.deepseek.com/v1opencode.ai/zen/v1api.cline.bot/api/v1api.groq.com/openai/v1api.x.ai/v1

Decision evidence

public snapshot
AI called this Clean at 78.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/clew.cjs auto-installs Bun on CLI run if bun is missing using curl|bash or PowerShell iex.
  • dist/main.js is a large bundled AI coding-agent CLI with shell/tool/MCP/plugin capabilities reachable after user invocation.
Evidence against
  • package.json has no install/postinstall hooks; prepublishOnly is publisher-side only.
  • bin/clew.cjs and bin/claudevil.cjs only resolve bun then spawn dist/main.js with user CLI args.
  • scripts/install.sh and scripts/install.ps1 are explicit installer helpers, not npm lifecycle hooks.
  • README documents provider API keys and AI coding-agent behavior matching dist/main.js provider endpoints.
  • dist/main.js provider network endpoints are package-aligned AI APIs, local Ollama, GitHub feedback, and Anthropic SDK code.
  • No confirmed credential harvesting, persistence, destructive action, or unconsented AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 33 file(s), 372 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cline.bot, api.deepseek.com, api.github.com, api.groq.com, api.kilo.ai, api.mistral.ai, api.openai.com, api.sakana.ai, api.x.ai, app.corridor.dev, bun.sh, claude.ai, cloudcode-pa.googleapis.com, code.claude.com, docs.expo.dev, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, github.com, mcp.sentry.dev, opencode.ai, openrouter.ai, support.anthropic.com, www.schemastore.org
Oversized source lightweight scan
dist/main.js11.6 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.anthropic.comapi.cline.botapi.deepseek.comapi.groq.comapi.kilo.aiapi.mistral.aiapi.openai.comapi.sakana.aiapi.x.aiapp.corridor.devcloudcode-pa.googleapis.comcode.claude.comdocs.expo.devgenerativelanguage.googleapis.comgithub.commcp.sentry.devopencode.aiopenrouter.aiwww.schemastore.org

Source & flagged code

7 flagged · loading source
bin/claudevil.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs');
High
Child Process

Package source references child process execution.

bin/claudevil.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/claudevil.cjsView on unpkg · L1
scripts/preload.tsView file
119const c = readFileSync(file, 'utf-8') L120: let m: RegExpExecArray | null L121: while ((m = typePattern.exec(c)) !== null) allTypes.push(m[2])
High
Shell

Package source references shell execution.

scripts/preload.tsView on unpkg · L119
bin/clew.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/clew.cjsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> bin/clew.cjs L1: #!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/clew.cjsView on unpkg · L1
scripts/install.shView file
path = scripts/install.sh kind = build_helper sizeBytes = 2837 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install.shView on unpkg
dist/main.jsView file
path = dist/main.js kind = oversized_source_file sizeBytes = 12182401 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/main.jsView on unpkg

Findings

2 Critical4 High5 Medium5 Low
CriticalDownload Executebin/clew.cjs
CriticalTrigger Reachable Dangerous Capabilitybin/clew.cjs
HighChild Processbin/claudevil.cjs
HighShellscripts/preload.ts
HighSandbox Evasion Gated Capabilitybin/claudevil.cjs
HighOversized Source Filedist/main.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/install.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings