registry  /  @openthink/stamp  /  3.2.0

@openthink/stamp@3.2.0

Local, headless pull-request system for agent-to-agent code review workflows

AI Security Review

scanned 15h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `stamp init` or `stamp review`.
Impact
Can influence agent behavior in repositories where the user intentionally initializes Stamp; review data is sent to Anthropic.
Mechanism
Explicit repository agent-instruction mutation and AI review API use.
Rationale
No malicious install-time or covert execution behavior was found. Warn because explicit CLI initialization mutates AI-agent control files and the package’s core operation transmits review content to Anthropic.
Evidence
package.jsondist/index.jsREADME.mdAGENTS.mdCLAUDE.md.stamp/
Network endpoints1
api.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements `stamp init` writers for repository-root `AGENTS.md` and `CLAUDE.md`.
  • Those managed instructions direct Claude Code agents to use Stamp’s review/merge workflow.
  • `dist/index.js` includes Anthropic SDK networking for its advertised AI review function.
Evidence against
  • `package.json` has only `prepublishOnly`; no `preinstall`, `install`, or `postinstall` hook.
  • CLI startup parses arguments; configuration writes are reached through explicit commands, not package import or installation.
  • No `eval`/`Function` loader or unconsented remote payload execution was found in packaged code.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.80 MB of source, external domains: api.anthropic.com, api.github.com, cli.github.com, docs.anthropic.com, docs.expo.dev, github.com, platform.claude.com, raw.githubusercontent.com, stamp-cli-production.up.railway.app

Source & flagged code

5 flagged · loading source
dist/index.jsView file
66// src/commands/bootstrap.ts L67: import { execFileSync as execFileSync3 } from "child_process"; L68: import { existsSync as existsSync9, readFileSync as readFileSync8, readdirSync as readdirSync2, statSync as statSync3, writeFileSync as writeFileSync6 } from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L66
1308bounded before use? L1309: 5. **Subprocess invocation.** \`exec\` / \`spawn\` with \`shell: true\` or with L1310: arguments composed from external data is an injection risk. Prefer
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1308
13712} L13713: process.stderr.write( L13714: `error: broadcast to stamp-server failed. ... L13723: // src/commands/prListen.ts L13724: import { spawnSync as spawnSync18 } from "child_process"; L13725: import { mkdirSync as mkdirSync7, writeFileSync as writeFileSync16 } from "fs"; L13726: import { dirname as dirname10, join as join20 } from "path"; L13727: import { request as httpRequest3 } from "http"; L13728: import { request as httpsRequest3 } from "https";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L13712
66// src/commands/bootstrap.ts L67: import { execFileSync as execFileSync3 } from "child_process"; L68: import { existsSync as existsSync9, readFileSync as readFileSync8, readdirSync as readdirSync2, statSync as statSync3, writeFileSync as writeFileSync6 } from "fs"; ... L104: L105: This repository is gated by [stamp-cli](https://github.com/OpenThinkAi/stamp-cli). L106: Direct commits to protected branches (typically \`main\`) **will be rejected by ... L545: function maybeWarnAgentsMdDrift(opts) { L546: const env = opts.env ?? process.env; L547: if (env[DRIFT_WARNING_SUPPRESS_ENV] === "1") return false; ... L552: if (expected === sniffed) return false; L553: const stderr = opts.stderr ?? process.stderr; L554: const remoteName = opts.remote ?? "origin";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L66
dist/server/seed-users.cjsView file
22if (explicit) return explicit; L23: const envPath = process.env["STAMP_SERVER_DB_PATH"]; L24: if (envPath && envPath.length > 0) return envPath; ... L214: throw new Error( L215: "ssh pubkey line must have at least <algorithm> <base64> tokens" L216: ); ... L269: // src/server/seed-users.ts L270: var AUTHORIZED_KEYS = process.env["AUTHORIZED_KEYS"] ?? ""; L271: function main() {
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/server/seed-users.cjsView on unpkg · L22

Findings

1 Critical3 High3 Medium5 Low
CriticalPersistence Backdoordist/server/seed-users.cjs
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings