AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `saldo init`, `saldo connect-claude`, `saldo link`, or starts the MCP server.
Impact
Claude can query connected account, balance, and transaction data through this package after user setup; no install-time hijack or exfiltration was found.
Mechanism
User-invoked banking MCP connector and Claude config registration
Rationale
Source inspection shows an intended read-only banking MCP connector with user-invoked setup and package-aligned network calls. Because it explicitly mutates Claude Desktop MCP configuration on command, warn rather than block.
Evidence
package.jsondist/cli/index.jsdist/cli/init.jsdist/util/claude-config.jsdist/config.jsdist/bootstrap.jsdist/index.jsdist/mcp/server.jsdist/providers/enablebanking/client.jsdist/broker-client.js.env.example~/.saldo/config.json~/.saldo/state.json~/.saldo/broker-device.json~/.saldo/cache.key~/.saldo/cache.sqliteClaude/claude_desktop_config.json
Network endpoints4
api.enablebanking.comsaldo-broker.up.railway.applocalhost:8888/callback127.0.0.1:4321/mcp
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- dist/util/claude-config.js writes a Claude Desktop mcpServers entry, but only via explicit `saldo connect-claude`.
- dist/cli/init.js can persist user-provided Enable Banking private key to config.json with mode 0600.
- dist/broker-client.js default managed mode contacts a Saldo broker and stores broker device credentials.
Evidence against
- package.json has no install/preinstall/postinstall hooks; only prepublishOnly build.
- dist/index.js starts an MCP stdio server only at runtime, not import/install time.
- dist/mcp/server.js exposes read-only account, balance, transaction, and summary tools; no money movement or shell execution.
- dist/providers/enablebanking/client.js calls the package-aligned Enable Banking API with bearer tokens.
- No child_process, eval, dynamic code loading, destructive filesystem behavior, or credential exfiltration found.
- .env.example contains placeholders, not real secrets.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading source.env.exampleView file
23patternName = private_key_rsa
severity = critical
line = 23
matchedText = EB_PRIVA...-\n"
Critical
23patternName = private_key_rsa
severity = critical
line = 23
matchedText = EB_PRIVA...-\n"
Critical
dist/providers/enablebanking/mappers.jsView file
1import { createHash } from "node:crypto";
L2: import { toMinorUnits } from "../../util/money.js";
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/providers/enablebanking/mappers.jsView on unpkg · L1Findings
2 Critical2 Medium6 Low
CriticalCritical Secret.env.example
CriticalSecret Pattern.env.example
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/providers/enablebanking/mappers.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings