registry  /  saldo-mcp  /  0.1.4

saldo-mcp@0.1.4

Saldo local connector — read-only MCP bridge between Nordic bank accounts and AI assistants.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs saldo connect-claude or saldo init/link/serve
Impact
Claude can invoke a read-only local finance MCP server; package also stores local config/cache and contacts aligned banking/broker APIs after user setup.
Mechanism
explicit MCP registration and open-banking data connector
Rationale
Source inspection shows an explicit user-command MCP setup flow plus package-aligned banking/broker behavior, so this fits warn-level AI-agent config mutation rather than malicious hijack. No unconsented install-time mutation or concrete exfiltration/destructive chain was found.
Evidence
package.jsondist/cli/index.jsdist/util/claude-config.jsdist/cli/init.jsdist/config.jsdist/bootstrap.jsdist/broker-client.jsdist/providers/enablebanking/client.jsdist/mcp/server.js.env.example~/.saldo/config.json~/.saldo/state.json~/.saldo/broker-device.json~/.saldo/cache.sqlite~/.saldo/cache.key~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%/Claude/claude_desktop_config.json$XDG_CONFIG_HOME/Claude/claude_desktop_config.json
Network endpoints4
api.enablebanking.comsaldo-broker.up.railway.applocalhost:8888/callback127.0.0.1:<port>/mcp

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/util/claude-config.js writes Claude Desktop mcpServers only via explicit connect-claude command
  • dist/util/claude-config.js invokes claude mcp remove/add for Claude Code user scope
  • dist/cli/init.js can persist Enable Banking private key to ~/.saldo/config.json on explicit init
  • dist/broker-client.js sends device credentials to configured broker and stores broker-device.json
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build
  • dist/cli/index.js connect-claude/disconnect-claude are explicit CLI commands, not install/import-time actions
  • MCP tools in dist/mcp/server.js are read-only finance queries; no money movement or shell execution
  • Network endpoints are package-aligned: api.enablebanking.com, saldo-broker.up.railway.app, localhost callback
  • dist/providers/enablebanking/client.js uses bearer tokens for Enable Banking API calls, not broad exfiltration
  • .env.example contains placeholder PEM text, not a real secret
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 33 file(s), 79.9 KB of source, external domains: 127.0.0.1, api.enablebanking.com, nodejs.org, saldo-broker.up.railway.app

Source & flagged code

4 flagged · loading source
.env.exampleView file
23patternName = private_key_rsa severity = critical line = 23 matchedText = EB_PRIVA...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.exampleView on unpkg · L23
23patternName = private_key_rsa severity = critical line = 23 matchedText = EB_PRIVA...-\n"
Critical
Secret Pattern

RSA private key in .env.example

.env.exampleView on unpkg · L23
dist/providers/enablebanking/mappers.jsView file
1import { createHash } from "node:crypto"; L2: import { toMinorUnits } from "../../util/money.js";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/providers/enablebanking/mappers.jsView on unpkg · L1
dist/util/claude-config.jsView file
matchType = previous_version_dangerous_delta matchedPackage = saldo-mcp@0.1.0 matchedIdentity = npm:c2FsZG8tbWNw:0.1.0 similarity = 0.821 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/util/claude-config.jsView on unpkg

Findings

2 Critical1 High2 Medium6 Low
CriticalCritical Secret.env.example
CriticalSecret Pattern.env.example
HighPrevious Version Dangerous Deltadist/util/claude-config.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/providers/enablebanking/mappers.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings