critical
suspicious.dangerous_exec
- Location
- dist/cli.js:2442
- Finding
- Shell command execution detected (child_process).
Nella
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.dep_not_found_on_registry, suspicious.env_credential_access (+2 more)
Findings (21)
critical
suspicious.dangerous_exec
- Location
- dist/index.js:2446
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- dist/mcp/hosted-server.js:2446
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- dist/mcp/index.js:2446
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- dist/mcp/server.js:2447
- Finding
- Shell command execution detected (child_process).
critical
suspicious.env_credential_access
- Location
- dist/cli.js:2976
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- dist/index.js:2980
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- dist/mcp/hosted-server.js:2980
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- dist/mcp/index.js:2980
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- dist/mcp/server.js:2981
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- dist/cli.js:2976
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- dist/index.js:2980
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- dist/mcp/hosted-server.js:2980
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- dist/mcp/index.js:2980
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- dist/mcp/server.js:2981
- Finding
- File appears to expose a hardcoded API secret or token.
warn
suspicious.potential_exfiltration
- Location
- dist/cli.js:24350
- Finding
- Sensitive-looking file read is paired with a network send.
warn
suspicious.potential_exfiltration
- Location
- dist/index.js:24216
- Finding
- Sensitive-looking file read is paired with a network send.
warn
suspicious.potential_exfiltration
- Location
- dist/mcp/hosted-server.js:24632
- Finding
- Sensitive-looking file read is paired with a network send.
warn
suspicious.potential_exfiltration
- Location
- dist/mcp/index.js:24280
- Finding
- Sensitive-looking file read is paired with a network send.
warn
suspicious.potential_exfiltration
- Location
- dist/mcp/server.js:24175
- Finding
- Sensitive-looking file read is paired with a network send.
critical
suspicious.dep_not_found_on_registry
- Location
- Dependency manifests:1
- Finding
- 1 package(s) referenced in dependency files do not exist on their public registries: @usenella/core (npm)