registry  /  clew-code  /  0.4.7

clew-code@0.4.7

ClewCode — multi-provider AI coding agent CLI

AI Security Review

scanned 21h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. Risky primitives are aligned with a user-invoked AI coding CLI and its documented MCP/plugin/shell features.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs clew/clewcode or explicitly runs installer scripts.
Impact
Runs local agent CLI with user-selected provider/network/tool capabilities; no unconsented lifecycle mutation confirmed.
Mechanism
user-invoked AI agent launcher and optional Bun bootstrap
Rationale
Static inspection shows broad AI-agent capabilities and a runtime Bun bootstrap, but no npm install hook, unconsented foreign agent control-surface mutation, credential exfiltration, persistence, or remote payload execution beyond user-invoked package-aligned setup. Scanner download/execute and child_process findings are explained by the CLI launcher and documented agent features.
Evidence
package.jsonbin/clew.cjsbin/claudevil.cjsbin/clewbin/claudevilscripts/install.shscripts/install.ps1README.mddist/main.js
Network endpoints3
bun.sh/installbun.sh/install.ps1github.com/ClewCode/ClewCode/issues

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/clew.cjs auto-runs Bun installer via curl/PowerShell if bun is missing, but only when the clew CLI is invoked.
  • dist/main.js exposes agent/MCP/plugin/permission-bypass features typical of an AI coding CLI.
  • scripts/install.sh and scripts/install.ps1 install Bun and clew-code globally, but are npm scripts only when explicitly run.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hook; only prepublishOnly build hook.
  • package.json bin exposes clew/clewcode launchers that run local dist/main.js via Bun.
  • README.md documents a local-first AI coding agent with MCP, plugins, shell tools, and provider APIs.
  • No package source found planting CLAUDE.md, .mcp.json, .claude, Codex/Cursor settings, shell startup files, or VCS hooks at install time.
  • GitHub-token scripts are development/maintenance scripts, not bin/import/lifecycle reachable.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 33 file(s), 372 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cline.bot, api.deepseek.com, api.github.com, api.groq.com, api.kilo.ai, api.mistral.ai, api.openai.com, api.sakana.ai, api.x.ai, app.corridor.dev, bun.sh, claude.ai, code.claude.com, docs.expo.dev, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, github.com, mcp.sentry.dev, opencode.ai, openrouter.ai, router.huggingface.co, support.anthropic.com, www.schemastore.org
Oversized source lightweight scan
dist/main.js11.6 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.anthropic.comapi.cline.botapi.deepseek.comapi.groq.comapi.kilo.aiapi.mistral.aiapi.openai.comapi.sakana.aiapi.x.aiapp.corridor.devcode.claude.comdocs.expo.devgenerativelanguage.googleapis.comgithub.commcp.sentry.devopencode.aiopenrouter.airouter.huggingface.cowww.schemastore.org

Source & flagged code

7 flagged · loading source
bin/claudevil.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs');
High
Child Process

Package source references child process execution.

bin/claudevil.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/claudevil.cjsView on unpkg · L1
scripts/preload.tsView file
119const c = readFileSync(file, 'utf-8') L120: let m: RegExpExecArray | null L121: while ((m = typePattern.exec(c)) !== null) allTypes.push(m[2])
High
Shell

Package source references shell execution.

scripts/preload.tsView on unpkg · L119
bin/clew.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/clew.cjsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> bin/clew.cjs L1: #!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/clew.cjsView on unpkg · L1
scripts/install.shView file
path = scripts/install.sh kind = build_helper sizeBytes = 2837 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install.shView on unpkg
dist/main.jsView file
path = dist/main.js kind = oversized_source_file sizeBytes = 12184061 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/main.jsView on unpkg

Findings

2 Critical4 High5 Medium5 Low
CriticalDownload Executebin/clew.cjs
CriticalTrigger Reachable Dangerous Capabilitybin/clew.cjs
HighChild Processbin/claudevil.cjs
HighShellscripts/preload.ts
HighSandbox Evasion Gated Capabilitybin/claudevil.cjs
HighOversized Source Filedist/main.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/install.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings