registry  /  @openthink/stamp  /  1.11.0

@openthink/stamp@1.11.0

Local, headless pull-request system for agent-to-agent code review workflows

AI Security Review

scanned 6h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit `stamp init` or `stamp bootstrap` invocation in a target repository.
Impact
Can influence configured agents and repository workflow policy in the selected project; it is not triggered by npm installation.
Mechanism
User-invoked repository policy and AI-agent instruction scaffolding.
Rationale
Source inspection disproves the scanner's install-persistence/backdoor interpretation, but confirms explicit-user agent configuration mutation. Under the stated policy this warrants a warning rather than a block.
Evidence
package.jsondist/index.jsdist/server/seed-users.cjsdist/server/start-http-server.cjsAGENTS.mdCLAUDE.md.stamp/.github/workflows/stamp-verify.yml~/.stamp/keys/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` exposes `stamp init` that writes `AGENTS.md` and `CLAUDE.md`.
  • `stamp init` can create `.github/workflows/stamp-verify.yml` and `.stamp/` policy files.
  • These mutations are explicit CLI actions, not npm lifecycle hooks.
  • `dist/server/seed-users.cjs` manages a local SQLite user database; no backdoor payload was found.
Evidence against
  • `package.json` has only `prepublishOnly`; install has no preinstall/install/postinstall hook.
  • `dist/index.js` is a user-invoked CLI entrypoint, with command registration at runtime.
  • Remote reviewer fetching is an explicit `reviewers fetch --from` command and rejects plain HTTP.
  • No eval/vm/Function use, credential exfiltration, stealth persistence, or import-time network activity was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 949 KB of source, external domains: api.github.com, github.com, raw.githubusercontent.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
56// src/commands/bootstrap.ts L57: import { execFileSync } from "child_process"; L58: import { existsSync as existsSync6, readFileSync as readFileSync5, readdirSync, statSync, writeFileSync as writeFileSync5 } from "fs"; ... L91: L92: This repository is gated by [stamp-cli](https://github.com/OpenThinkAi/stamp-cli). L93: Direct commits to protected branches (typically \`main\`) **will be rejected by ... L874: values hardcoded in any tracked file. Even in tests, docs, or comments. L875: 2. **Dependency risk.** New entries in the manifest (package.json, L876: requirements, Cargo.toml, etc.) \u2014 obscure authors, names resembling ... L1074: error shapes, output formats, etc. L1075: 2. **Breaking changes.** Renamed flags, changed exit codes, modified L1076: response shapes, removed public APIs \u2014 any of these break external
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L56
dist/server/seed-users.cjsView file
22if (explicit) return explicit; L23: const envPath = process.env["STAMP_SERVER_DB_PATH"]; L24: if (envPath && envPath.length > 0) return envPath; ... L148: throw new Error( L149: "ssh pubkey line must have at least <algorithm> <base64> tokens" L150: ); ... L197: // src/server/seed-users.ts L198: var AUTHORIZED_KEYS = process.env["AUTHORIZED_KEYS"] ?? ""; L199: function deriveShortName(comment, index) {
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/server/seed-users.cjsView on unpkg · L22

Findings

1 Critical3 Medium5 Low
CriticalPersistence Backdoordist/server/seed-users.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings