Is anthropic safe?
- Python filesystem read
- Python network egress
- Python filesystem write/delete
anthropic is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: filesystem read, filesystem write, mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).
anthropic 0.116.0
Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of anthropic's authors. Report a false positive.
Findings (4)
The component reads files from disk.
return (path.name, path.read_bytes())
return pathlib.Path(file).read_bytes()
return (path.name, await path.read_bytes())
return await anyio.Path(file).read_bytes()
binary = data.read_bytes()
binary = await anyio.Path(data).read_bytes()
contents = Path(path).read_bytes()
files.append((path.relative_to(relative_to).as_posix(), path.read_bytes()))
files.append((path.relative_to(relative_to).as_posix(), await path.read_bytes()))
name = (_config_dir() / "active_config").read_text(encoding="utf-8").strip()
raw = self._config_path.read_text(encoding="utf-8")
raw = path.read_text(encoding="utf-8")
content = self._path.read_text(encoding="utf-8").strip()
return full_path.read_text(encoding="utf-8")
return await full_path.read_text(encoding="utf-8")
text = target.read_text()
text = target.read_text()
Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.
Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.
The component writes or deletes files on disk.
with open(file, mode="wb") as f:
with open(file, mode="wb") as f:
with open(file, mode="wb") as f:
with open(file, mode="wb") as f:
os.unlink(tmp)
shutil.rmtree(full_path)
shutil.rmtree(self.memory_root)
with zf.open(info) as src, open(target, "wb") as out:
shutil.copyfileobj(src, out)
with extracted as src, open(target, "wb") as out:
shutil.copyfileobj(src, out)
target.write_text(content)
target.write_text(updated)
Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
The component makes outbound network requests.
import httpx
from httpx import URL, Proxy, HTTPTransport, AsyncHTTPTransport
from httpx._config import (
DEFAULT_TIMEOUT_CONFIG, # pyright: ignore[reportPrivateImportUsage]
)from httpx._config import DEFAULT_TIMEOUT_CONFIG as HTTPX_DEFAULT_TIMEOUT
return httpx.QueryParams(cast(Any, self._options.params)).merge(url.params)
self._base_url = self._enforce_trailing_slash(URL(base_url))
headers = httpx.Headers(headers_dict)
merge_url = URL(url)
self._base_url = self._enforce_trailing_slash(url if isinstance(url, URL) else URL(url))
proxy_map = {key: None if url is None else Proxy(url=url) for key, url in get_environment_proxies().items()}key: None if proxy is None else HTTPTransport(proxy=proxy, **transport_kwargs)
default_transport = HTTPTransport(**transport_kwargs)
proxy_map = {key: None if url is None else Proxy(url=url) for key, url in get_environment_proxies().items()}key: None if proxy is None else AsyncHTTPTransport(proxy=proxy, **transport_kwargs)
default_transport = AsyncHTTPTransport(**transport_kwargs)
import httpx
import httpx
DEFAULT_TIMEOUT = httpx.Timeout(timeout=10 * 60, connect=5.0)
DEFAULT_CONNECTION_LIMITS = httpx.Limits(max_connections=1000, max_keepalive_connections=100)
import httpx
import httpx
import httpx
from urllib.parse import parse_qs, urlencode
return parse_qs(query)
return urlencode(
self.stringify_items(
params,
array_format=array_format,
nested_format=nested_format,
)
)Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
An MCP tool surface (manifest or tool definitions) was found.
raise RuntimeError("Cannot call a synchronous function asynchronously. Use `@tool` instead.")Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →