SkillTotal

Is @anthropic-ai/sdk safe?

No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js shell/command execution
  • Node.js filesystem read
  • Node.js filesystem write/delete

@anthropic-ai/sdk is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: filesystem read, filesystem write, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

@anthropic-ai/sdk 0.110.0

npm_package · npm:@anthropic-ai/sdk
LOW
0
/ 100 risk score
Snapshot · scanned Jul 7, 2026 · @anthropic-ai/sdk@0.110.0 · engine 0.34.2 / ruleset 34

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of @anthropic-ai/sdk's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
filesystem readfilesystem writenetwork egressshell execution

Findings (4)

HIGHNode.js shell/command executionST-SHELL-NODE

The component can run operating-system commands or spawn processes.

const match = pattern.exec(navigator.userAgent);
const match = pattern.exec(navigator.userAgent);
while ((match = invalidSegmentPattern.exec(pathOnly)) !== null) {
while ((match = invalidSegmentPattern.exec(pathOnly)) !== null) {
const match = pattern.exec(navigator.userAgent);
while ((match = invalidSegmentPattern.exec(pathOnly)) !== null) {
import * as cp from 'node:child_process';
* across exec() calls. Uses pipes rather than a PTY so input is never echoed.
this.#proc = cp.spawn('/bin/bash', ['--noprofile', '--norc'], {
const { output, exitCode } = await session.exec(command, {
const proc = cp.spawn(rg, ['-n', '--no-heading', '-e', pattern, '--', searchPath], {
import { execFile } from 'node:child_process';
exec(_command: string, _opts?: {
* across exec() calls. Uses pipes rather than a PTY so input is never echoed.
exec(command: string, opts?: {
const cp = tslib_1.__importStar(require("node:child_process"));
* across exec() calls. Uses pipes rather than a PTY so input is never echoed.
tslib_1.__classPrivateFieldSet(this, _BashSession_proc, cp.spawn('/bin/bash', ['--noprofile', '--norc'], {
async exec(command, opts = {}) {
const { output, exitCode } = await session.exec(command, {
const proc = cp.spawn(rg, ['-n', '--no-heading', '-e', pattern, '--', searchPath], {

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.

MEDIUMNode.js filesystem readST-FS-NODE-READ

The component reads files from disk.

* the result of fs.createReadStream().
*   file: fs.createReadStream('path/to/file'),
*   file: fs.createReadStream('path/to/file'),
*   file: fs.createReadStream('path/to/file'),
*   files: [fs.createReadStream('path/to/file')],
*   files: [fs.createReadStream('path/to/file')],
*   files: [fs.createReadStream('path/to/file')],
*   { files: [fs.createReadStream('path/to/file')] },
*   { files: [fs.createReadStream('path/to/file')] },
*   { files: [fs.createReadStream('path/to/file')] },
* the result of fs.createReadStream().
*   file: fs.createReadStream('path/to/file'),
*   files: [fs.createReadStream('path/to/file')],
*   { files: [fs.createReadStream('path/to/file')] },
data = await fs.readFile(abs, 'utf8');
data = await fs.readFile(abs, 'utf8');
return await fs.readFile(fullPath, 'utf-8');
data = await fs.readFile(abs, 'utf8');
data = await fs.readFile(abs, 'utf8');
data = await fs.readFile(abs, 'utf8');
data = await fs.readFile(abs, 'utf8');
return await fs.readFile(fullPath, 'utf-8');
return await fs.readFile(fullPath, 'utf-8');

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMNode.js filesystem write/deleteST-FS-NODE-WRITE

The component writes or deletes files on disk.

await fs.unlink(tempPath).catch(() => {});
await fs.rm(dest, { recursive: true, force: true });
await fs.rm(dest, { recursive: true, force: true }).catch((e) => {
await fs.rm(tmp, { force: true });
await fs.rm(stage, { recursive: true, force: true });
await fs.unlink(tempPath).catch(() => {});
await fs.rm(fullPath, { recursive: true, force: false });
await fs.unlink(tempPath).catch(() => { });
await fs.unlink(tempPath).catch(() => { });
await fs.rm(dest, { recursive: true, force: true });
await fs.rm(dest, { recursive: true, force: true }).catch((e) => {
await fs.rm(tmp, { force: true });
await fs.rm(stage, { recursive: true, force: true });
await fs.rm(dest, { recursive: true, force: true });
await fs.rm(dest, { recursive: true, force: true }).catch((e) => {
await fs.rm(tmp, { force: true });
await fs.rm(stage, { recursive: true, force: true });
await fs.unlink(tempPath).catch(() => { });
await fs.rm(fullPath, { recursive: true, force: false });
await fs.unlink(tempPath).catch(() => { });
await fs.rm(fullPath, { recursive: true, force: false });

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

* timeout/abort errors, errors thrown by `fetch()`, and `APIConnectionError`s
// Expo fetch
            ('message' in err && String(err.message).includes('FetchRequestCanceledException'))));
// Expo fetch
            ('message' in err && String(err.message).includes('FetchRequestCanceledException'))));
: (await fetch('data:,')).constructor);
: (await fetch('data:,')).constructor);
resp = await config.fetch(url, {
resp = await config.fetch(url, {
resp = await config.fetch(url, {
resp = await config.fetch(url, {
* timeout/abort errors, errors thrown by `fetch()`, and `APIConnectionError`s
// Expo fetch
      ('message' in err && String((err as any).message).includes('FetchRequestCanceledException')))
: (await fetch('data:,')).constructor) as typeof Response;
resp = await config.fetch(url, {
resp = await config.fetch(url, {

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →