AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `stoop init <directory>`; network actions require `login`, `generate`, or `deploy`.
Impact
Can influence AI agents operating in that project to use Stoop deployment guidance; no unconsented install-time persistence or exfiltration was confirmed.
Mechanism
User-invoked project skill and `AGENTS.md` configuration write.
Rationale
No concrete malicious chain was found. The explicit agent-configuration capability warrants a warning under the stated policy, rather than a block.
Evidence
package.jsondist/index.js<user-selected-directory>/.claude/skills/stoop/SKILL.md<user-selected-directory>/AGENTS.md~/.config/stoop/config.json
Network endpoints1
stoop.run
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` implements `stoop init`, which writes `.claude/skills/stoop/SKILL.md` and updates `AGENTS.md` in a user-selected directory.
- The generated `AGENTS.md` block directs AI agents to read the package-owned skill and use `npx @stoop/cli deploy`.
- `dist/index.js` sends OAuth, generation, and deployment requests to the configured Stoop base URL; default is `https://stoop.run`.
Evidence against
- `package.json` has only `prepublishOnly`; there are no install-time lifecycle hooks.
- The agent-file mutation is reachable only through the explicit `stoop init` command, not import or installation.
- `dist/index.js` scopes skill writes to the selected project directory and preserves other `AGENTS.md` content outside its marked block.
- Deploy collection excludes `node_modules`, `AGENTS.md`, and `CLAUDE.md` from uploads.
- No hidden shell execution, eval, remote code loading, credential harvesting, or destructive file deletion was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
28619patternName = generic_password
severity = medium
line = 28619
matchedText = password...d]",
Medium
60opt.whitespace = opt.whitespace === true || opt.align === true;
L61: opt.platform = opt.platform || typeof process !== "undefined" && process.platform;
L62: opt.bracketedArray = opt.bracketedArray !== false;
...
L160: const valueRaw = match6[3] ? unsafe(match6[4]) : true;
L161: const value2 = valueRaw === "true" || valueRaw === "false" || valueRaw === "null" ? JSON.parse(valueRaw) : valueRaw;
L162: if (isArray2) {
...
L9887: yield* this.next(token);
L9888: yield* this.end(forceDoc, endOffset);
L9889: }
L9890: *next(token) {
L9891: if (node_process.env.LOG_STREAM)
L9892: console.dir(token, { depth: null });
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L60Findings
4 Medium5 Low
MediumSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings