registry  /  @openthink/stamp  /  3.2.2

@openthink/stamp@3.2.2

Local, headless pull-request system for agent-to-agent code review workflows

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `stamp init` or `stamp bootstrap` in a repository.
Impact
Can influence future agent behavior in that repository; no unconsented install-time mutation was found.
Mechanism
Explicit project-scoped AI-agent instruction and Git-policy scaffolding.
Rationale
Static inspection does not support a malicious verdict: no consumer lifecycle hook or covert exfiltration chain was found. The explicit agent-instruction mutation warrants a warning under the firewall policy.
Evidence
package.jsondist/index.jsdist/chunk-TUJLSQKG.jsAGENTS.mdCLAUDE.md.stamp/

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements `stamp init`/`bootstrap` to create or update repository-root `AGENTS.md` and `CLAUDE.md`.
  • The `CLAUDE.md` content states it is auto-loaded by Claude Code and directs agent git workflow.
  • The same explicit setup path scaffolds `.stamp/` policy files and can stage them with Git.
  • `dist/index.js` runs configured checks through `spawnSync(..., {shell:true})`, but this is command-driven project checking rather than install-time execution.
  • `dist/index.js` has user-configured HTTP/reviewer-fetch functionality, including `https://raw.githubusercontent.com/` sources.
Evidence against
  • `package.json` has only `prepublishOnly`; no `preinstall`, `install`, or `postinstall` hook executes for consumers.
  • The package entrypoint is a `stamp` CLI; inspected filesystem, shell, network, and agent-file actions are reached through explicit commands.
  • Agent-file writes are scoped to the current repository root and use managed marker blocks.
  • No inspected source showed credential harvesting, hidden exfiltration, remote payload execution, or broad foreign control-surface mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.80 MB of source, external domains: api.anthropic.com, api.github.com, cli.github.com, docs.anthropic.com, docs.expo.dev, github.com, platform.claude.com, raw.githubusercontent.com, stamp-cli-production.up.railway.app

Source & flagged code

6 flagged · loading source
dist/index.jsView file
67// src/commands/bootstrap.ts L68: import { execFileSync as execFileSync3 } from "child_process"; L69: import { existsSync as existsSync10, readFileSync as readFileSync8, readdirSync as readdirSync2, statSync as statSync3, writeFileSync as writeFileSync7 } from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L67
1309bounded before use? L1310: 5. **Subprocess invocation.** \`exec\` / \`spawn\` with \`shell: true\` or with L1311: arguments composed from external data is an injection risk. Prefer
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1309
13821} L13822: process.stderr.write( L13823: `error: broadcast to stamp-server failed. ... L13832: // src/commands/prListen.ts L13833: import { spawnSync as spawnSync18 } from "child_process"; L13834: import { mkdirSync as mkdirSync7, writeFileSync as writeFileSync16 } from "fs"; L13835: import { dirname as dirname10, join as join20 } from "path"; L13836: import { request as httpRequest3 } from "http"; L13837: import { request as httpsRequest3 } from "https";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L13821
67// src/commands/bootstrap.ts L68: import { execFileSync as execFileSync3 } from "child_process"; L69: import { existsSync as existsSync10, readFileSync as readFileSync8, readdirSync as readdirSync2, statSync as statSync3, writeFileSync as writeFileSync7 } from "fs"; ... L105: L106: This repository is gated by [stamp-cli](https://github.com/OpenThinkAi/stamp-cli). L107: Direct commits to protected branches (typically \`main\`) **will be rejected by ... L546: function maybeWarnAgentsMdDrift(opts) { L547: const env = opts.env ?? process.env; L548: if (env[DRIFT_WARNING_SUPPRESS_ENV] === "1") return false; ... L553: if (expected === sniffed) return false; L554: const stderr = opts.stderr ?? process.stderr; L555: const remoteName = opts.remote ?? "origin";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L67
dist/server/seed-users.cjsView file
22if (explicit) return explicit; L23: const envPath = process.env["STAMP_SERVER_DB_PATH"]; L24: if (envPath && envPath.length > 0) return envPath; ... L214: throw new Error( L215: "ssh pubkey line must have at least <algorithm> <base64> tokens" L216: ); ... L269: // src/server/seed-users.ts L270: var AUTHORIZED_KEYS = process.env["AUTHORIZED_KEYS"] ?? ""; L271: function main() {
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/server/seed-users.cjsView on unpkg · L22
dist/chunk-TUJLSQKG.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @openthink/stamp@3.2.1 matchedIdentity = npm:QG9wZW50aGluay9zdGFtcA:3.2.1 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-TUJLSQKG.jsView on unpkg

Findings

2 Critical3 High3 Medium5 Low
CriticalPersistence Backdoordist/server/seed-users.cjs
CriticalPrevious Version Dangerous Deltadist/chunk-TUJLSQKG.js
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings