registry  /  saldo-mcp  /  0.1.0

saldo-mcp@0.1.0

Saldo local connector — read-only MCP bridge between Nordic bank accounts and AI assistants.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `saldo init`, `saldo connect-claude`, `saldo link`, or starts the MCP server.
Impact
Claude can query connected account, balance, and transaction data through this package after user setup; no install-time hijack or exfiltration was found.
Mechanism
User-invoked banking MCP connector and Claude config registration
Rationale
Source inspection shows an intended read-only banking MCP connector with user-invoked setup and package-aligned network calls. Because it explicitly mutates Claude Desktop MCP configuration on command, warn rather than block.
Evidence
package.jsondist/cli/index.jsdist/cli/init.jsdist/util/claude-config.jsdist/config.jsdist/bootstrap.jsdist/index.jsdist/mcp/server.jsdist/providers/enablebanking/client.jsdist/broker-client.js.env.example~/.saldo/config.json~/.saldo/state.json~/.saldo/broker-device.json~/.saldo/cache.key~/.saldo/cache.sqliteClaude/claude_desktop_config.json
Network endpoints4
api.enablebanking.comsaldo-broker.up.railway.applocalhost:8888/callback127.0.0.1:4321/mcp

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/util/claude-config.js writes a Claude Desktop mcpServers entry, but only via explicit `saldo connect-claude`.
  • dist/cli/init.js can persist user-provided Enable Banking private key to config.json with mode 0600.
  • dist/broker-client.js default managed mode contacts a Saldo broker and stores broker device credentials.
Evidence against
  • package.json has no install/preinstall/postinstall hooks; only prepublishOnly build.
  • dist/index.js starts an MCP stdio server only at runtime, not import/install time.
  • dist/mcp/server.js exposes read-only account, balance, transaction, and summary tools; no money movement or shell execution.
  • dist/providers/enablebanking/client.js calls the package-aligned Enable Banking API with bearer tokens.
  • No child_process, eval, dynamic code loading, destructive filesystem behavior, or credential exfiltration found.
  • .env.example contains placeholders, not real secrets.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 76.0 KB of source, external domains: 127.0.0.1, api.enablebanking.com, nodejs.org, saldo-broker.up.railway.app

Source & flagged code

3 flagged · loading source
.env.exampleView file
23patternName = private_key_rsa severity = critical line = 23 matchedText = EB_PRIVA...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.exampleView on unpkg · L23
23patternName = private_key_rsa severity = critical line = 23 matchedText = EB_PRIVA...-\n"
Critical
Secret Pattern

RSA private key in .env.example

.env.exampleView on unpkg · L23
dist/providers/enablebanking/mappers.jsView file
1import { createHash } from "node:crypto"; L2: import { toMinorUnits } from "../../util/money.js";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/providers/enablebanking/mappers.jsView on unpkg · L1

Findings

2 Critical2 Medium6 Low
CriticalCritical Secret.env.example
CriticalSecret Pattern.env.example
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/providers/enablebanking/mappers.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings