registry  /  saldo-mcp  /  0.1.5

saldo-mcp@0.1.5

Saldo local connector — read-only MCP bridge between Nordic bank accounts and AI assistants.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs saldo connect-claude, saldo init, saldo serve, or banking query commands.
Impact
Warn-level agent configuration mutation; no unconsented install-time hijack or exfiltration found.
Mechanism
User-invoked MCP registration and banking API connector
Rationale
Static inspection shows a legitimate read-only banking MCP connector with explicit Claude registration commands and package-aligned network endpoints. Because it mutates an AI-agent control surface only via a user-invoked command and has no install-time hijack or malicious chain, downgrade to warn rather than block.
Evidence
package.jsondist/cli/index.jsdist/util/claude-config.jsdist/cli/init.jsdist/config.jsdist/broker-client.jsdist/providers/enablebanking/client.jsdist/mcp/server.js.env.example~/.saldo/config.json~/.saldo/broker-device.json~/.saldo/cache.sqlite~/.saldo/cache.keyClaude Desktop claude_desktop_config.json
Network endpoints4
api.enablebanking.comsaldo-broker.up.railway.applocalhost:8888/callback127.0.0.1:{port}/mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js exposes user-invoked connect-claude/disconnect-claude commands.
  • dist/util/claude-config.js writes Claude Desktop mcpServers.saldo and runs claude mcp add/remove for Claude Code.
  • dist/cli/init.js can write ~/.saldo/config.json with managed broker or self-host Enable Banking credentials.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
  • Claude config mutation is explicit CLI action, not install-time or import-time behavior.
  • MCP tools in dist/mcp/server.js are read-only account/balance/transaction queries.
  • Network use is package-aligned: Enable Banking API and configured/Saldo broker.
  • No eval/vm/Function, remote payload loading, credential harvesting, or broad file scanning found.
  • .env.example contains placeholder PEM text, not a real secret.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 33 file(s), 80.8 KB of source, external domains: 127.0.0.1, api.enablebanking.com, nodejs.org, saldo-broker.up.railway.app

Source & flagged code

3 flagged · loading source
.env.exampleView file
23patternName = private_key_rsa severity = critical line = 23 matchedText = EB_PRIVA...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.exampleView on unpkg · L23
23patternName = private_key_rsa severity = critical line = 23 matchedText = EB_PRIVA...-\n"
Critical
Secret Pattern

RSA private key in .env.example

.env.exampleView on unpkg · L23
dist/providers/enablebanking/mappers.jsView file
1import { createHash } from "node:crypto"; L2: import { toMinorUnits } from "../../util/money.js";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/providers/enablebanking/mappers.jsView on unpkg · L1

Findings

2 Critical2 Medium6 Low
CriticalCritical Secret.env.example
CriticalSecret Pattern.env.example
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/providers/enablebanking/mappers.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings