registry  /  @sellable/admin-mcp  /  0.1.41

@sellable/admin-mcp@0.1.41

Sellable Admin MCP - cross-workspace operations and fulfillment tools

AI Security Review

scanned 41m ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The MCP exposes an explicit Hermes onboarding lifecycle that can invoke an external installer and persist package-owned state. No install-time execution or unconsented mutation of a foreign AI-agent configuration was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
An MCP client explicitly calls `setup_hermes_onboarding_agent` or the Hermes lifecycle tool with an approved mutation mode.
Impact
Can provision, reconfigure, or destructively tear down a customer Hermes agent when invoked with valid approval artifacts.
Mechanism
approved external Hermes bootstrap/rollback invocation plus owned-state and token-file management
Rationale
Source inspection confirms a guarded, user-invoked agent provisioning and teardown capability rather than a malicious install-time payload. Warn because the package can control external AI-agent lifecycle resources through its MCP tools.
Evidence
package.jsondist/index.jsdist/tools/hermesOnboardingAgent.jsdist/tools/hermesOnboardingLifecycle.jsdist/tools/hermesCustomerToken.jsdist/api.js$SELLABLE_ADMIN_HOME/config-state.json$SELLABLE_ADMIN_HOME/approvals$SELLABLE_ADMIN_HOME/hermes-disable-receipts/opt/data/profiles
Network endpoints2
app.sellable.devslack.com/api/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/tools/hermesOnboardingAgent.js` invokes a PATH-resolved `hermes` binary with `execFile`.
  • Its `apply`, `rebuild`, and `disable` modes can provision or tear down customer-agent resources.
  • The tool writes Hermes registry, ledger, and disable-receipt state under the package-owned admin home.
  • `dist/tools/hermesCustomerToken.js` mints and stores customer tokens in owner-only local files.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • `dist/index.js` only starts an MCP stdio server; onboarding actions require an MCP tool call.
  • Mutation modes require approval-packet validation and immutable package SHA-256 candidates.
  • Secret-pattern logic redacts process output and rejects secret values in setup arguments.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 309 KB of source, external domains: 127.0.0.1, app.sellable.dev, slack.com, www.googleapis.com

Source & flagged code

3 flagged · loading source
dist/tools/hermesOnboardingAgent.jsView file
18patternName = private_key_rsa severity = critical line = 18 matchedText = /-----BE...-/i,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/tools/hermesOnboardingAgent.jsView on unpkg · L18
18patternName = private_key_rsa severity = critical line = 18 matchedText = /-----BE...-/i,
Critical
Secret Pattern

RSA private key in dist/tools/hermesOnboardingAgent.js

dist/tools/hermesOnboardingAgent.jsView on unpkg · L18
matchType = previous_version_dangerous_delta matchedPackage = @sellable/admin-mcp@0.1.40 matchedIdentity = npm:QHNlbGxhYmxlL2FkbWluLW1jcA:0.1.40 similarity = 0.880 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tools/hermesOnboardingAgent.jsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalCritical Secretdist/tools/hermesOnboardingAgent.js
CriticalSecret Patterndist/tools/hermesOnboardingAgent.js
HighPrevious Version Dangerous Deltadist/tools/hermesOnboardingAgent.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings