AI Security Review
scanned 6h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit `stamp init` or `stamp bootstrap` invocation in a target repository.
Impact
Can influence configured agents and repository workflow policy in the selected project; it is not triggered by npm installation.
Mechanism
User-invoked repository policy and AI-agent instruction scaffolding.
Rationale
Source inspection disproves the scanner's install-persistence/backdoor interpretation, but confirms explicit-user agent configuration mutation. Under the stated policy this warrants a warning rather than a block.
Evidence
package.jsondist/index.jsdist/server/seed-users.cjsdist/server/start-http-server.cjsAGENTS.mdCLAUDE.md.stamp/.github/workflows/stamp-verify.yml~/.stamp/keys/
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` exposes `stamp init` that writes `AGENTS.md` and `CLAUDE.md`.
- `stamp init` can create `.github/workflows/stamp-verify.yml` and `.stamp/` policy files.
- These mutations are explicit CLI actions, not npm lifecycle hooks.
- `dist/server/seed-users.cjs` manages a local SQLite user database; no backdoor payload was found.
Evidence against
- `package.json` has only `prepublishOnly`; install has no preinstall/install/postinstall hook.
- `dist/index.js` is a user-invoked CLI entrypoint, with command registration at runtime.
- Remote reviewer fetching is an explicit `reviewers fetch --from` command and rejects plain HTTP.
- No eval/vm/Function use, credential exfiltration, stealth persistence, or import-time network activity was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
56// src/commands/bootstrap.ts
L57: import { execFileSync } from "child_process";
L58: import { existsSync as existsSync6, readFileSync as readFileSync5, readdirSync, statSync, writeFileSync as writeFileSync5 } from "fs";
...
L91:
L92: This repository is gated by [stamp-cli](https://github.com/OpenThinkAi/stamp-cli).
L93: Direct commits to protected branches (typically \`main\`) **will be rejected by
...
L874: values hardcoded in any tracked file. Even in tests, docs, or comments.
L875: 2. **Dependency risk.** New entries in the manifest (package.json,
L876: requirements, Cargo.toml, etc.) \u2014 obscure authors, names resembling
...
L1074: error shapes, output formats, etc.
L1075: 2. **Breaking changes.** Renamed flags, changed exit codes, modified
L1076: response shapes, removed public APIs \u2014 any of these break external
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L56dist/server/seed-users.cjsView file
22if (explicit) return explicit;
L23: const envPath = process.env["STAMP_SERVER_DB_PATH"];
L24: if (envPath && envPath.length > 0) return envPath;
...
L148: throw new Error(
L149: "ssh pubkey line must have at least <algorithm> <base64> tokens"
L150: );
...
L197: // src/server/seed-users.ts
L198: var AUTHORIZED_KEYS = process.env["AUTHORIZED_KEYS"] ?? "";
L199: function deriveShortName(comment, index) {
Critical
Persistence Backdoor
Source writes persistence or remote-access backdoor material.
dist/server/seed-users.cjsView on unpkg · L22Findings
1 Critical3 Medium5 Low
CriticalPersistence Backdoordist/server/seed-users.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings