Is CLI-Anything safe to use?

CLI-Anything has an HVTrust score of 44.3/100 (Grade D), ranked #162 of 203 open-source AI projects. This score reflects verifiable supply-chain integrity, transparency, maintenance, and adoption signals.

What is the trust score for CLI-Anything?

CLI-Anything scores 44.3/100 on HVTracker's evidence-weighted HVTrust scale. It has 42.0k GitHub stars and is categorized under Protocols & Tool Integration.

CLI-Anything

HKUDS/CLI-Anything

"CLI-Anything: Making ALL Software Agent-Native" -- CLI-Hub: https://clianything.cc/

Protocols & Tool Integration Python Grade D Listed Apache-2.0

Compare Compare saved agents Track this agent Suggest correction

Listing state

Listed

HVTrust

44.3/100 · Grade D

Last push

2026-06-04 · 0d ago

Recent change

New

Quick Trust Read

Verdict

Thin or incomplete trust evidence. Review carefully before production use.

44.3/100 · Grade D

Strongest Signal

Identity / Provenance

18.0/18

Weakest Signal

Safety / Integrity

8.9/25

What Would Improve It

Add or improve OSSF Scorecard coverage so safety checks are easier to verify.

Recent Changes

2026-06-04

Newly Listed

First tracked at rank #162

Maintainer Checklist

Add Scorecard coverage Expose the repository to OpenSSF Scorecard checks so supply-chain posture is easier to verify.

Increase signed commits Raise the share of verified-signed commits to make maintainer identity and release history easier to trust.

Compare with another agent Track CLI-Anything View Protocols & Tool Integration Report missing data

94.4

Activity Score · out of 100

44.3

HVTrust Score · out of 100

#162

Global Rank · of 203

In Protocols & Tool Integration

How to read this: HVTrust (0–100) weighs supply-chain signals (provenance, OSSF Scorecard, signed commits, open license) alongside real-world adoption. Grade D reflects the trust score band: A ≥ 80, B ≥ 65, C ≥ 50, D < 50. Full methodology →

Activity & Reach

Stars

42.0k

Forks

4.0k

Last Push

2026-06-04

today

Commits (4 wk)

140

Downloads (7d)

—

HN mentions (30d)

—

Open Issues

Rank Change

NEW

Analysis

HVTrust Dimensions

44.3 / 100 · 67.0% confidence

Safety / IntegrityOSSF, provenance, signatures

8.9 / 25

Identity / ProvenanceListing and build link

18.0 / 18

TransparencyLicense and public checks

8.5 / 17

MaintenanceFreshness and commits

20.0 / 20

AdoptionStars and downloads

11.1 / 20

Activity Inputs

94.4 / 100

StarsRepository reach

27.7 / 30

FreshnessLast push recency

25.0 / 25

ActivityRecent commits

25 / 25

CommunityFork signal

16.7 / 20

Supply Chain Trust

Package Provenance

Verified

pypi attestation

OSSF Scorecard

—

Not available

Signed Commits

29%

of last 100 commits verified

Is CLI-Anything safe?

Public trust evidence for CLI-Anything is thin: several supply-chain signals are missing or weak. This does not mean the project is unsafe — it means an outside observer cannot easily verify the usual integrity checks. Treat with extra scrutiny.

Does CLI-Anything publish package provenance?

Yes. CLI-Anything's package releases carry build provenance attestations, which cryptographically link the published package back to its source repository and CI workflow.

Does CLI-Anything have an OpenSSF Scorecard?

No OpenSSF Scorecard data is currently published for CLI-Anything. Maintainers can enable the Scorecard GitHub Action to get a public score; without it, automated supply-chain hygiene is harder for outsiders to verify.

Is CLI-Anything actively maintained?

Actively maintained. The repository was pushed to within the last 1 day(s).

What license does CLI-Anything use?

CLI-Anything ships under Apache-2.0. A declared, OSI-approved license is one of the transparency signals HVTrust scores.

Are CLI-Anything's commits signed?

28% of the last 100 commits to CLI-Anything are verified-signed (GPG, SSH, S/MIME, or GitHub's signing flow). Signed commits help confirm that code was authored by who the commit claims.

Not a safety endorsement. HVTracker describes what public signals show, not whether a project is safe for your use case. Run your own security review before adopting in production.

Runtime trust — coming soon

HVTrust currently scores supply-chain signals. We're adding runtime trust next: what an agent actually does when it runs — what it can reach, which tools it carries, what external services it depends on. Track progress on the roadmap →

MCP support
Tool / plugin surface
External service deps
Package provenance drift

Maintain CLI-Anything?

HVTrust scores CLI-Anything from public signals only — we never contact maintainers first. If a signal is wrong, stale, or missing (provenance you publish, a Scorecard you run, signed releases), tell us and we'll review it. Corrections are public and tracked on GitHub.

Submit a correction → Add the trust badge

Reputation Timeline

2026-06-04

Newly Listed

First tracked at rank #162

GitHub → PyPI: cli-anything-hub

Embed Badge Badge guide for maintainers →

        Markdown:

        [![HVTrust](https://hvtracker.net/badge/cli-anything.svg)](https://hvtracker.net/agents/cli-anything)

        HTML:

        <a href="https://hvtracker.net/agents/cli-anything"><img src="https://hvtracker.net/badge/cli-anything.svg" alt="HVTrust"></a>

Other agents in Protocols & Tool Integration

Data sources
GitHub REST API (repo, commits, stars, forks, license) · PyPI / pypistats (downloads, provenance)
Each agent's signals refresh once daily across 6 staggered batches. Methodology v3.1 · Raw JSON