registry  /  @openthink/stamp  /  3.2.1

@openthink/stamp@3.2.1

Local, headless pull-request system for agent-to-agent code review workflows

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `stamp init` or `stamp bootstrap`; configured server hook processes a push.
Impact
Can influence agents in the initialized repository and enforce Stamp review workflow; no unconsented install-time mutation or concrete data exfiltration was established.
Mechanism
Explicit CLI scaffolding of agent guidance and review-gate files, plus optional server-side GitHub mirroring.
Rationale
Not malicious: no consumer install hook, hidden execution, credential theft, or unconsented broad control-surface mutation was confirmed. Warn because explicit CLI setup writes auto-loaded AI-agent guidance and persistent review-gate configuration.
Evidence
package.jsondist/index.jsdist/hooks/post-receive.cjsdist/server/seed-users.cjsdist/server/bootstrap-review-key.cjsAGENTS.mdCLAUDE.md.stamp/~/.stamp//srv/git/.stamp-state/users.db
Network endpoints2
api.github.comgithub.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements `stamp init`/`bootstrap` writes to `AGENTS.md` and `CLAUDE.md`.
  • The inserted `CLAUDE.md` is auto-loaded agent guidance that constrains git workflow.
  • `stamp init` creates `.stamp/` configuration, reviewer prompts, keys, and local state.
  • `dist/index.js` runs configured checks through `spawnSync(..., {shell:true})` on explicit CLI use.
  • Server hook code can push mirrors and post GitHub statuses when server-side credentials/configuration are present.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook executes for consumers.
  • `dist/index.js` is a `stamp` CLI bin; reviewed mutations are command-triggered, not import-time.
  • No confirmed credential harvesting or exfiltration path was found in inspected client code.
  • Observed GitHub traffic is feature-aligned mirror/status functionality in `dist/hooks/post-receive.cjs`.
  • `dist/server/seed-users.cjs` seeds a server database from the operator-provided `AUTHORIZED_KEYS` environment variable; it is not a hidden client persistence payload.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.80 MB of source, external domains: api.anthropic.com, api.github.com, cli.github.com, docs.anthropic.com, docs.expo.dev, github.com, platform.claude.com, raw.githubusercontent.com, stamp-cli-production.up.railway.app

Source & flagged code

5 flagged · loading source
dist/index.jsView file
66// src/commands/bootstrap.ts L67: import { execFileSync as execFileSync3 } from "child_process"; L68: import { existsSync as existsSync9, readFileSync as readFileSync8, readdirSync as readdirSync2, statSync as statSync3, writeFileSync as writeFileSync6 } from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L66
1308bounded before use? L1309: 5. **Subprocess invocation.** \`exec\` / \`spawn\` with \`shell: true\` or with L1310: arguments composed from external data is an injection risk. Prefer
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1308
13712} L13713: process.stderr.write( L13714: `error: broadcast to stamp-server failed. ... L13723: // src/commands/prListen.ts L13724: import { spawnSync as spawnSync18 } from "child_process"; L13725: import { mkdirSync as mkdirSync7, writeFileSync as writeFileSync16 } from "fs"; L13726: import { dirname as dirname10, join as join20 } from "path"; L13727: import { request as httpRequest3 } from "http"; L13728: import { request as httpsRequest3 } from "https";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L13712
66// src/commands/bootstrap.ts L67: import { execFileSync as execFileSync3 } from "child_process"; L68: import { existsSync as existsSync9, readFileSync as readFileSync8, readdirSync as readdirSync2, statSync as statSync3, writeFileSync as writeFileSync6 } from "fs"; ... L104: L105: This repository is gated by [stamp-cli](https://github.com/OpenThinkAi/stamp-cli). L106: Direct commits to protected branches (typically \`main\`) **will be rejected by ... L545: function maybeWarnAgentsMdDrift(opts) { L546: const env = opts.env ?? process.env; L547: if (env[DRIFT_WARNING_SUPPRESS_ENV] === "1") return false; ... L552: if (expected === sniffed) return false; L553: const stderr = opts.stderr ?? process.stderr; L554: const remoteName = opts.remote ?? "origin";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L66
dist/server/seed-users.cjsView file
22if (explicit) return explicit; L23: const envPath = process.env["STAMP_SERVER_DB_PATH"]; L24: if (envPath && envPath.length > 0) return envPath; ... L214: throw new Error( L215: "ssh pubkey line must have at least <algorithm> <base64> tokens" L216: ); ... L269: // src/server/seed-users.ts L270: var AUTHORIZED_KEYS = process.env["AUTHORIZED_KEYS"] ?? ""; L271: function main() {
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/server/seed-users.cjsView on unpkg · L22

Findings

1 Critical3 High3 Medium5 Low
CriticalPersistence Backdoordist/server/seed-users.cjs
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings