AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs stash init/plan/impl and selects an agent handoff or AGENTS.md output.
Impact
Local agent behavior can be influenced for CipherStash setup, but inspection found package-aligned rules and no install-time hijack or exfiltration.
Mechanism
Explicit CLI writes agent guidance/skills and may spawn local agent binaries.
Rationale
Source inspection found no install-time execution, credential exfiltration, remote payload execution, or destructive behavior. Because the package explicitly writes agent control files and can launch agents as a user-selected setup handoff, downgrade to warn rather than block.
Evidence
package.jsondist/bin/stash.jsdist/bin/main-EDWFDE6S.jsdist/bin/chunk-R2VBVQOH.jsdist/index.cjsdist/commands/init/doctrine/AGENTS-doctrine.mdAGENTS.md.codex/skills.claude/skills.cipherstash/context.json.cipherstash/setup-prompt.md
Network endpoints2
github.com/cipherstash/encrypt-query-language/releases/download/eql-2.3.1/cipherstash-encrypt.sqlgithub.com/cipherstash/encrypt-query-language/releases/download/eql-2.3.1/cipherstash-encrypt-supabase.sql
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- dist/bin/chunk-R2VBVQOH.js copies bundled skills into .codex/skills or .claude/skills during explicit handoff steps.
- dist/bin/chunk-R2VBVQOH.js writes/upserts AGENTS.md and .cipherstash setup context, then may spawn codex or claude.
- dist/bin/chunk-R2VBVQOH.js launches Claude with --allow-dangerously-skip-permissions in the explicit Claude handoff path.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- Agent-file writes are tied to user-invoked init/plan/impl handoff flows, not install-time execution.
- Bundled AGENTS doctrine is CipherStash setup guidance, not credential theft or reviewer manipulation.
- Network fetches are package-aligned EQL SQL downloads from github.com when requested; no exfiltration endpoint found.
- Secrets handling references env key names and database URLs for CLI/database operations; no harvesting loop found.
- Dynamic imports/jiti load user config or command chunks for CLI behavior, not remote payloads.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/bin/backfill-X3MBDG4G.jsView file
2import { createRequire as __createRequire } from 'module';
L3: var require = __createRequire(import.meta.url);
L4: import {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/bin/backfill-X3MBDG4G.jsView on unpkg · L2Findings
3 Medium4 Low
MediumDynamic Requiredist/bin/backfill-X3MBDG4G.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings