registry  /  @stoop/cli  /  0.2.1

@stoop/cli@0.2.1

Deploy static sites to stoop from the terminal.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `stoop init <directory>`; network actions require `login`, `generate`, or `deploy`.
Impact
Can influence AI agents operating in that project to use Stoop deployment guidance; no unconsented install-time persistence or exfiltration was confirmed.
Mechanism
User-invoked project skill and `AGENTS.md` configuration write.
Rationale
No concrete malicious chain was found. The explicit agent-configuration capability warrants a warning under the stated policy, rather than a block.
Evidence
package.jsondist/index.js<user-selected-directory>/.claude/skills/stoop/SKILL.md<user-selected-directory>/AGENTS.md~/.config/stoop/config.json
Network endpoints1
stoop.run

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements `stoop init`, which writes `.claude/skills/stoop/SKILL.md` and updates `AGENTS.md` in a user-selected directory.
  • The generated `AGENTS.md` block directs AI agents to read the package-owned skill and use `npx @stoop/cli deploy`.
  • `dist/index.js` sends OAuth, generation, and deployment requests to the configured Stoop base URL; default is `https://stoop.run`.
Evidence against
  • `package.json` has only `prepublishOnly`; there are no install-time lifecycle hooks.
  • The agent-file mutation is reachable only through the explicit `stoop init` command, not import or installation.
  • `dist/index.js` scopes skill writes to the selected project directory and preserves other `AGENTS.md` content outside its marked block.
  • Deploy collection excludes `node_modules`, `AGENTS.md`, and `CLAUDE.md` from uploads.
  • No hidden shell execution, eval, remote code loading, credential harvesting, or destructive file deletion was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.24 MB of source, external domains: github.com, stoop.run

Source & flagged code

2 flagged · loading source
dist/index.jsView file
28619patternName = generic_password severity = medium line = 28619 matchedText = password...d]",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L28619
60opt.whitespace = opt.whitespace === true || opt.align === true; L61: opt.platform = opt.platform || typeof process !== "undefined" && process.platform; L62: opt.bracketedArray = opt.bracketedArray !== false; ... L160: const valueRaw = match6[3] ? unsafe(match6[4]) : true; L161: const value2 = valueRaw === "true" || valueRaw === "false" || valueRaw === "null" ? JSON.parse(valueRaw) : valueRaw; L162: if (isArray2) { ... L9887: yield* this.next(token); L9888: yield* this.end(forceDoc, endOffset); L9889: } L9890: *next(token) { L9891: if (node_process.env.LOG_STREAM) L9892: console.dir(token, { depth: null });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L60

Findings

4 Medium5 Low
MediumSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings