registry  /  @sellable/admin-mcp  /  0.1.117-hermes06.202607122115

@sellable/admin-mcp@0.1.117-hermes06.202607122115

Sellable Admin MCP - cross-workspace operations and fulfillment tools

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 33 file(s), 483 KB of source, external domains: 127.0.0.1, app.sellable.dev, registry.npmjs.org, slack.com, www.googleapis.com

Source & flagged code

4 flagged · loading source
dist/tools/hermesOnboardingLifecycle.jsView file
254patternName = private_key_rsa severity = critical line = 254 matchedText = return /...ue);
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/tools/hermesOnboardingLifecycle.jsView on unpkg · L254
254patternName = private_key_rsa severity = critical line = 254 matchedText = return /...ue);
Critical
Secret Pattern

RSA private key in dist/tools/hermesOnboardingLifecycle.js

dist/tools/hermesOnboardingLifecycle.jsView on unpkg · L254
dist/lib/hermesExactPackageLauncher.jsView file
1import { spawn } from "node:child_process"; L2: import { createHash } from "node:crypto"; ... L5: import { basename, dirname, join, posix, resolve, sep } from "node:path"; L6: import { gunzipSync } from "node:zlib"; L7: export async function [redacted](input) { ... L19: writeFileSync(npmrc, [ L20: "registry=https://registry.npmjs.org/", L21: "ignore-scripts=true", ... L29: ["HOME", home], L30: ["PATH", process.env.PATH || ""], L31: ["LANG", process.env.LANG || "C"], ... L46: env,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/hermesExactPackageLauncher.jsView on unpkg · L1
dist/tools/hermesOnboardingAgent.jsView file
22patternName = private_key_rsa severity = critical line = 22 matchedText = /-----BE...-/i,
Critical
Secret Pattern

RSA private key in dist/tools/hermesOnboardingAgent.js

dist/tools/hermesOnboardingAgent.jsView on unpkg · L22

Findings

3 Critical1 High3 Medium4 Low
CriticalCritical Secretdist/tools/hermesOnboardingLifecycle.js
CriticalSecret Patterndist/tools/hermesOnboardingLifecycle.js
CriticalSecret Patterndist/tools/hermesOnboardingAgent.js
HighSandbox Evasion Gated Capabilitydist/lib/hermesExactPackageLauncher.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings