AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime capabilities are admin MCP tools that use user-provided Sellable, Slack, database, and browser/publisher configuration when invoked.
Static reason
No blocking static signals were detected.
Trigger
User runs sellable-admin-mcp and invokes MCP tools
Impact
Legitimate package-aligned operations can read or mutate configured Sellable/Slack/admin state; no unconsented install-time mutation or exfiltration was identified.
Mechanism
authenticated admin API/database/Slack/Notion operations
Rationale
Source inspection shows an MCP admin package with explicit runtime tools and package-aligned network use, not install-time compromise or hidden payload execution. Potentially powerful operations require configured credentials and explicit tool invocation, with no evidence of credential harvesting beyond intended local config reads.
Evidence
package.jsondist/index.jsdist/server.jsdist/auth.jsdist/api.jsdist/db.jsdist/tools/sellable.jsdist/tools/workspace.jsdist/tools/slackLists.jsdist/tools/dashboard.jsdist/tools/notionPublisher.jsskills/hermes-vps-desktop-setup/SKILL.mdsettings.jsonconfig-state.json~/.sellable-admin/settings.json~/.sellable-admin/config-state.json~/.claude/sellable-admin.json~/.sellable-admin/logs/notion-publish
Network endpoints2
app.sellable.devslack.com/api/
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks; bin only starts dist/index.js
- dist/server.js registers MCP tools and waits on stdio; no import-time network or filesystem mutation found
- dist/auth.js reads user-selected Sellable config from settings.json/env paths; it does not exfiltrate secrets outside tool requests
- dist/api.js and dist/tools/sellable.js call configured Sellable API with bearer token for admin operations
- dist/tools/slackLists.js and dist/tools/dashboard.js call Slack API using configured Slack token for workspace/canvas operations
- dist/tools/notionPublisher.js uses spawnSync only in explicit MCP tool handlers for local Notion publishing/doctor commands
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Medium4 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings