AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `stoop init [directory]`; separately, `login`, `deploy`, or `generate` invoke their documented workflows.
Impact
A project agent may be directed to use this CLI for deployment; no unconsented install-time mutation or concrete malicious payload was found.
Mechanism
Writes Claude skill and AGENTS guidance that can influence future coding-agent behavior.
Rationale
The package is not malicious by source inspection, but its explicit project-agent configuration mutation meets the firewall warn policy for AI-agent capability abuse. Its network, token storage, browser opening, and deployment behavior are documented and command-triggered.
Evidence
package.jsonREADME.mddist/index.js.claude/skills/stoop/SKILL.mdAGENTS.md
Network endpoints1
stoop.run
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` implements `stoop init`, an explicit command that writes agent guidance.
- `stoop init` creates `.claude/skills/stoop/SKILL.md` and upserts a block in `AGENTS.md`.
- The generated guidance directs coding agents to deploy with `npx @stoop/cli deploy`.
- `login` persists a user-approved OAuth token in `~/.config/stoop/config.json` with mode `0600`.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
- Agent-file writes occur only through the explicit `stoop init [directory]` command.
- Network use is package-aligned: OAuth, deployment, AI generation, and optional post-deploy probes against the configured Stoop origin.
- No source evidence of credential harvesting, hidden exfiltration, remote code loading, destructive actions, or stealth persistence.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
28619patternName = generic_password
severity = medium
line = 28619
matchedText = password...d]",
Medium
60opt.whitespace = opt.whitespace === true || opt.align === true;
L61: opt.platform = opt.platform || typeof process !== "undefined" && process.platform;
L62: opt.bracketedArray = opt.bracketedArray !== false;
...
L160: const valueRaw = match6[3] ? unsafe(match6[4]) : true;
L161: const value2 = valueRaw === "true" || valueRaw === "false" || valueRaw === "null" ? JSON.parse(valueRaw) : valueRaw;
L162: if (isArray2) {
...
L9887: yield* this.next(token);
L9888: yield* this.end(forceDoc, endOffset);
L9889: }
L9890: *next(token) {
L9891: if (node_process.env.LOG_STREAM)
L9892: console.dir(token, { depth: null });
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L60Findings
4 Medium5 Low
MediumSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings