MCP Observatory
npm analyzed 8.28.25

clavue

v8.28.25
npm

Clavue: execution-first AI coding CLI with direct repo tools, provider routing, native workflows, MCP integration, and long-session recovery

maintainer
calm2026
license
first seen
2026-06-03
last seen
2026-06-16
releases · 30d
113
short id

Drift inferred · capture-to-capture

  1. HIGH code analysis flagged dynamic code execution ×6 in clavue
capabilities0 tools
transport stdio · http counts 0 tools · 0 res · 0 prompts permission surface via code analysis

no tools enumerated yet for this server.

code evidencev8.28.25 · npm-tarball
evidence-backed findings quoted directly from the published source artifact — not inferred

filesystem 4

  • fs package/dist/login-redirect-command.js :1 import { existsSync, readFileSync } from 'node:fs'
  • fs package/dist/mao-command.js :5 GFS4: `),console.error(m)},"debug"));fs6[gracefulQueue]||(queue=global[gracefulQueue]||[],publishQueue(fs6,queue),fs6.close=(function(fs$close){function close(fd,cb){return fs$close.call(fs6,fd,functi
  • fs package/dist/provider-setup.js :3 import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
  • fs package/dist/team-command.js :1 import { existsSync, readdirSync, readFileSync } from 'node:fs'

shell / exec 2

  • shell package/dist/mao-command.js :5 GFS4: `),console.error(m)},"debug"));fs6[gracefulQueue]||(queue=global[gracefulQueue]||[],publishQueue(fs6,queue),fs6.close=(function(fs$close){function close(fd,cb){return fs$close.call(fs6,fd,functi
  • shell package/dist/provider-setup.js :1 import { execFileSync, spawnSync } from 'node:child_process'

network 1

  • net package/dist/provider-setup.js :3061 const response = await fetch(

secrets 1

  • secrets package/dist/provider-setup.js :4369 delete process.env.ANTHROPIC_API_KEY

declared dependencies 62

  • @anthropic-ai/sandbox-runtime@^0.0.49
  • @openai/codex@0.118.0
  • @opentelemetry/api@^1.9.1
  • @opentelemetry/api-logs@^0.214.0
  • @opentelemetry/core@^2.6.1
  • @opentelemetry/resources@^2.6.1
  • @opentelemetry/sdk-logs@^0.214.0
  • @opentelemetry/sdk-metrics@^2.6.1
  • @opentelemetry/sdk-trace-base@^2.6.1
  • @opentelemetry/semantic-conventions@^1.40.0
  • ajv@^8.18.0
  • lru-cache@^11.3.0
  • qrcode@^1.5.4
  • @anthropic-ai/sdk@^0.82.0
  • @aws-sdk/client-bedrock-runtime@^3.1024.0
  • @commander-js/extra-typings@^14.0.0
  • @growthbook/growthbook@^1.6.5
  • @modelcontextprotocol/sdk@^1.29.0
  • asciichart@^1.5.25
  • auto-bind@^5.0.1
  • axios@^1.14.0
  • bidi-js@^1.0.3
  • chalk@^5.6.2
  • chokidar@^5.0.0
  • cli-boxes@^4.0.1
  • code-excerpt@^4.0.0
  • diff@^8.0.4
  • env-paths@^4.0.0
  • esbuild@^0.27.4
  • execa@^9.6.1
  • fflate@^0.8.2
  • figures@^6.1.0
  • fuse.js@^7.3.0
  • get-east-asian-width@^1.5.0
  • google-auth-library@^10.6.2
  • highlight.js@^11.11.1
  • https-proxy-agent@^9.0.0
  • ignore@^7.0.5
  • indent-string@^5.0.0
  • ink@^6.8.0
  • jsonc-parser@^3.3.1
  • lodash-es@^4.18.1
  • marked@^17.0.6
  • p-map@^7.0.4
  • picomatch@^4.0.4
  • proper-lockfile@^4.1.2
  • react@^19.2.4
  • react-reconciler@^0.33.0
  • semver@^7.7.4
  • signal-exit@^4.1.0
  • stack-utils@^2.0.6
  • supports-hyperlinks@^4.4.0
  • tree-kill@^1.2.2
  • turndown@^7.2.4
  • type-fest@^5.5.0
  • typescript@^6.0.2
  • undici@^8.0.2
  • usehooks-ts@^3.1.1
  • vscode-languageserver-protocol@^3.17.5
  • ws@^8.20.0
  • xss@^1.0.15
  • yaml@^2.8.3