AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `agentstash init` configures Claude/Cursor to launch this MCP server and installs a package-owned Claude skill. When launched, MCP tools synchronize caller-supplied project memory and progress data with Agent Stash; no covert attack chain was found.
Static reason
No blocking static signals were detected.
Trigger
User runs `agentstash init`, then a configured AI client launches the MCP server and calls its tools.
Impact
Persists an MCP integration and sends tool-supplied project context to the configured service.
Mechanism
Explicit AI-agent extension setup plus hosted memory synchronization.
Rationale
No concrete malware behavior was found, but explicit first-party AI-agent extension setup is a warn-class lifecycle risk under the firewall policy.
Evidence
package.jsonsrc/bin.jssrc/index.jssrc/cli/init.jssrc/cli/merge-json.jssrc/cli/targets/claude.jssrc/cli/targets/cursor.jssrc/cli/skill-template.md~/.agentstash/config.json~/.claude/settings.json~/.claude/skills/agent-stash/SKILL.md~/.cursor/mcp.json
Network endpoints1
agentstash.ai
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/cli/init.js` explicitly writes Agent Stash setup to Claude and Cursor.
- `src/cli/targets/claude.js` installs `~/.claude/skills/agent-stash/SKILL.md`.
- `src/cli/merge-json.js` adds an MCP entry that runs `npx -y @agentstash/mcp`.
- `src/index.js` sends user/agent-supplied memories and logs to Agent Stash.
Evidence against
- `package.json` contains no preinstall/install/postinstall lifecycle hook.
- CLI mutations occur only through explicit `init`; `uninstall` removes only managed entries.
- Shell calls are fixed `git config` or `claude` CLI arguments, with no shell interpolation.
- No credential-file harvesting, dynamic code loading, eval, remote payload execution, or destructive behavior found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/index.jsView file
20} from "@modelcontextprotocol/sdk/types.js";
L21: import { execSync } from "node:child_process";
L22: import path from "node:path";
High
10* AGENT_STASH_API_KEY (required) — your API key from agentstash.ai
L11: * AGENT_STASH_URL (optional) — defaults to https://agentstash.ai
L12: * AGENT_STASH_PROJECT (optional) — override project namespace
...
L20: } from "@modelcontextprotocol/sdk/types.js";
L21: import { execSync } from "node:child_process";
L22: import path from "node:path";
L23:
L24: const API_BASE = (process.env.AGENT_STASH_URL || "https://agentstash.ai").replace(/\/$/, "");
L25: const API_KEY = process.env.AGENT_STASH_API_KEY;
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/index.jsView on unpkg · L10Findings
3 High2 Medium4 Low
HighChild Processsrc/index.js
HighShell
HighSame File Env Network Executionsrc/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings