registry  /  saldo-mcp  /  0.1.5

saldo-mcp@0.1.5

Saldo local connector — read-only MCP bridge between Nordic bank accounts and AI assistants.

Static Scan Results

scanned 40s ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 33 file(s), 80.8 KB of source, external domains: 127.0.0.1, api.enablebanking.com, nodejs.org, saldo-broker.up.railway.app

Source & flagged code

3 flagged · loading source
.env.exampleView file
23patternName = private_key_rsa severity = critical line = 23 matchedText = EB_PRIVA...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.exampleView on unpkg · L23
23patternName = private_key_rsa severity = critical line = 23 matchedText = EB_PRIVA...-\n"
Critical
Secret Pattern

RSA private key in .env.example

.env.exampleView on unpkg · L23
dist/providers/enablebanking/mappers.jsView file
1import { createHash } from "node:crypto"; L2: import { toMinorUnits } from "../../util/money.js";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/providers/enablebanking/mappers.jsView on unpkg · L1

Findings

2 Critical2 Medium6 Low
CriticalCritical Secret.env.example
CriticalSecret Pattern.env.example
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/providers/enablebanking/mappers.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings