registry  /  stash  /  0.17.1

stash@0.17.1

CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, and secrets.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs stash init/plan/impl and selects an agent handoff or AGENTS.md output.
Impact
Local agent behavior can be influenced for CipherStash setup, but inspection found package-aligned rules and no install-time hijack or exfiltration.
Mechanism
Explicit CLI writes agent guidance/skills and may spawn local agent binaries.
Rationale
Source inspection found no install-time execution, credential exfiltration, remote payload execution, or destructive behavior. Because the package explicitly writes agent control files and can launch agents as a user-selected setup handoff, downgrade to warn rather than block.
Evidence
package.jsondist/bin/stash.jsdist/bin/main-EDWFDE6S.jsdist/bin/chunk-R2VBVQOH.jsdist/index.cjsdist/commands/init/doctrine/AGENTS-doctrine.mdAGENTS.md.codex/skills.claude/skills.cipherstash/context.json.cipherstash/setup-prompt.md
Network endpoints2
github.com/cipherstash/encrypt-query-language/releases/download/eql-2.3.1/cipherstash-encrypt.sqlgithub.com/cipherstash/encrypt-query-language/releases/download/eql-2.3.1/cipherstash-encrypt-supabase.sql

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • dist/bin/chunk-R2VBVQOH.js copies bundled skills into .codex/skills or .claude/skills during explicit handoff steps.
  • dist/bin/chunk-R2VBVQOH.js writes/upserts AGENTS.md and .cipherstash setup context, then may spawn codex or claude.
  • dist/bin/chunk-R2VBVQOH.js launches Claude with --allow-dangerously-skip-permissions in the explicit Claude handoff path.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Agent-file writes are tied to user-invoked init/plan/impl handoff flows, not install-time execution.
  • Bundled AGENTS doctrine is CipherStash setup guidance, not credential theft or reviewer manipulation.
  • Network fetches are package-aligned EQL SQL downloads from github.com when requested; no exfiltration endpoint found.
  • Secrets handling references env key names and database URLs for CLI/database operations; no harvesting loop found.
  • Dynamic imports/jiti load user config or command chunks for CLI behavior, not remote payloads.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 332 KB of source, external domains: cipherstash.com, code.claude.com, dashboard.cipherstash.com, github.com

Source & flagged code

1 flagged · loading source
dist/bin/backfill-X3MBDG4G.jsView file
2import { createRequire as __createRequire } from 'module'; L3: var require = __createRequire(import.meta.url); L4: import {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/backfill-X3MBDG4G.jsView on unpkg · L2

Findings

3 Medium4 Low
MediumDynamic Requiredist/bin/backfill-X3MBDG4G.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings