registry  /  clew-code  /  0.4.8

clew-code@0.4.8

ClewCode — multi-provider AI coding agent CLI

AI Security Review

scanned 17h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package is a large AI coding-agent CLI with user-invoked network, plugin, MCP, remote-session, and shell capabilities.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs clew/clewcode or explicit installer scripts
Impact
Potentially broad local agent capability when explicitly launched, but no unconsented install/import-time compromise found
Mechanism
user-invoked AI agent CLI and Bun launcher
Rationale
The scanner's download/execute and shell findings are real but tied to user-invoked Bun installation/CLI operation, not npm install-time execution or hidden exfiltration. The bundled agent has dangerous dual-use features, but inspection did not find unconsented lifecycle mutation of foreign agent surfaces or concrete malicious behavior.
Evidence
package.jsonbin/clew.cjsbin/claudevil.cjsbin/clewbin/claudevildist/main.jsscripts/install.shscripts/install.ps1scripts/preload.ts
Network endpoints6
bun.sh/installapi.clew-code.orgapi.anthropic.comapi.openai.com/v1openrouter.ai/api/v1api.github.com

Decision evidence

public snapshot
AI called this Clean at 74.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/clew.cjs auto-installs Bun via curl/PowerShell when the user runs clew and Bun is missing
  • dist/main.js exposes agent capabilities including MCP, plugins, remote sessions, and explicit permission-bypass flags
  • scripts/install.sh and scripts/install.ps1 install clew-code globally via Bun and may install Bun
Evidence against
  • package.json has no install/postinstall lifecycle hook; prepublishOnly is publish-time build only
  • bin/clew.cjs and bin/claudevil.cjs launch bundled dist/main.js with locally resolved Bun and do not hide import-time payloads
  • Dangerous agent features in dist/main.js are CLI commands/options, not unconsented npm lifecycle mutations
  • No evidence of credential harvesting/exfiltration or foreign AI-agent control-surface writes during install/import
  • Network endpoints are mostly provider/auth/docs/update/telemetry URLs aligned with an AI coding CLI
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 33 file(s), 372 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cline.bot, api.deepseek.com, api.github.com, api.groq.com, api.kilo.ai, api.mistral.ai, api.openai.com, api.sakana.ai, api.x.ai, app.corridor.dev, bun.sh, claude.ai, code.claude.com, docs.expo.dev, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, github.com, mcp.sentry.dev, opencode.ai, openrouter.ai, router.huggingface.co, support.anthropic.com, www.schemastore.org
Oversized source lightweight scan
dist/main.js11.6 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.anthropic.comapi.cline.botapi.deepseek.comapi.groq.comapi.kilo.aiapi.mistral.aiapi.openai.comapi.sakana.aiapi.x.aiapp.corridor.devcode.claude.comdocs.expo.devgenerativelanguage.googleapis.comgithub.commcp.sentry.devopencode.aiopenrouter.airouter.huggingface.cowww.schemastore.org

Source & flagged code

7 flagged · loading source
bin/claudevil.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs');
High
Child Process

Package source references child process execution.

bin/claudevil.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/claudevil.cjsView on unpkg · L1
scripts/preload.tsView file
119const c = readFileSync(file, 'utf-8') L120: let m: RegExpExecArray | null L121: while ((m = typePattern.exec(c)) !== null) allTypes.push(m[2])
High
Shell

Package source references shell execution.

scripts/preload.tsView on unpkg · L119
bin/clew.cjsView file
1#!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/clew.cjsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> bin/clew.cjs L1: #!/usr/bin/env node L2: const { spawn, spawnSync } = require('child_process'); L3: const { existsSync } = require('fs'); ... L17: function resolveBunCommand() { L18: const whichCommand = process.platform === 'win32' ? 'where' : 'which'; L19: const result = spawnSync(whichCommand, ['bun'], { ... L24: L25: if (result.status !== 0 || !result.stdout) { L26: return null; ... L56: ? 'powershell -c "irm bun.sh/install.ps1 | iex"' L57: : 'curl -fsSL https://bun.sh/install | bash'; L58: console.error('Clew requires Bun at runtime.');
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/clew.cjsView on unpkg · L1
scripts/install.shView file
path = scripts/install.sh kind = build_helper sizeBytes = 2837 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install.shView on unpkg
dist/main.jsView file
path = dist/main.js kind = oversized_source_file sizeBytes = 12201248 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/main.jsView on unpkg

Findings

2 Critical4 High5 Medium5 Low
CriticalDownload Executebin/clew.cjs
CriticalTrigger Reachable Dangerous Capabilitybin/clew.cjs
HighChild Processbin/claudevil.cjs
HighShellscripts/preload.ts
HighSandbox Evasion Gated Capabilitybin/claudevil.cjs
HighOversized Source Filedist/main.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/install.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings