registry  /  @sellable/admin-mcp  /  0.1.42

@sellable/admin-mcp@0.1.42

Sellable Admin MCP - cross-workspace operations and fulfillment tools

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A connected MCP client explicitly calls the Hermes onboarding lifecycle/composition tool in a mutation mode.
Impact
Can provision, rebuild, roll back, or disable a customer agent through the local Hermes executable and configured admin files.
Mechanism
Approval-gated external Hermes bootstrap plus local registry, lifecycle, token, and evidence writes.
Rationale
The package is not malicious by source evidence, but it exposes high-impact explicit agent provisioning and external executable invocation. Per policy, this warrants a warning for user-invoked AI-agent capability abuse rather than a publish block.
Evidence
package.jsondist/index.jsdist/server.jsdist/auth.jsdist/tools/hermesOnboardingAgent.jsdist/tools/hermesOnboardingLifecycle.jsdist/tools/hermesCustomerToken.jsdist/tools/notionPublisher.js$SELLABLE_ADMIN_STATE_PATH$SELLABLE_ADMIN_HOME/hermes-onboarding-lifecycles/opt/data/profiles/sellable-admin/secrets
Network endpoints2
app.sellable.devslack.com/api/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/tools/hermesOnboardingAgent.js` explicitly invokes a resolved `hermes` binary with `execFile`.
  • Its apply/rebuild/disable modes pass provisioning and destructive-removal arguments to that external tool.
  • `dist/tools/hermesOnboardingAgent.js` atomically modifies the configured admin state registry.
  • `dist/tools/hermesOnboardingLifecycle.js` exposes explicit MCP actions that create lifecycle, approval, token, and evidence files.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `dist/index.js` only starts the stdio MCP server; no provisioning runs on import.
  • Provisioning mutations require an MCP tool invocation, validated input, approval packets, and sealed package hashes.
  • Secret-pattern logic redacts subprocess output and rejects secret-bearing verification input.
  • Network calls are product-aligned Sellable/Slack API operations; no covert exfiltration endpoint was found.
  • No eval, VM, shell command string, dynamic code loading, or bundled binary was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 312 KB of source, external domains: 127.0.0.1, app.sellable.dev, slack.com, www.googleapis.com

Source & flagged code

4 flagged · loading source
dist/tools/hermesOnboardingLifecycle.jsView file
60patternName = private_key_rsa severity = critical line = 60 matchedText = return /...ue);
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/tools/hermesOnboardingLifecycle.jsView on unpkg · L60
60patternName = private_key_rsa severity = critical line = 60 matchedText = return /...ue);
Critical
Secret Pattern

RSA private key in dist/tools/hermesOnboardingLifecycle.js

dist/tools/hermesOnboardingLifecycle.jsView on unpkg · L60
dist/tools/hermesOnboardingAgent.jsView file
18patternName = private_key_rsa severity = critical line = 18 matchedText = /-----BE...-/i,
Critical
Secret Pattern

RSA private key in dist/tools/hermesOnboardingAgent.js

dist/tools/hermesOnboardingAgent.jsView on unpkg · L18
matchType = previous_version_dangerous_delta matchedPackage = @sellable/admin-mcp@0.1.41 matchedIdentity = npm:QHNlbGxhYmxlL2FkbWluLW1jcA:0.1.41 similarity = 0.920 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tools/hermesOnboardingAgent.jsView on unpkg

Findings

3 Critical1 High2 Medium4 Low
CriticalCritical Secretdist/tools/hermesOnboardingLifecycle.js
CriticalSecret Patterndist/tools/hermesOnboardingLifecycle.js
CriticalSecret Patterndist/tools/hermesOnboardingAgent.js
HighPrevious Version Dangerous Deltadist/tools/hermesOnboardingAgent.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings