AI Security Review
scanned 1h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs saldo connect-claude, saldo init, saldo serve, or banking query commands.
Impact
Warn-level agent configuration mutation; no unconsented install-time hijack or exfiltration found.
Mechanism
User-invoked MCP registration and banking API connector
Rationale
Static inspection shows a legitimate read-only banking MCP connector with explicit Claude registration commands and package-aligned network endpoints. Because it mutates an AI-agent control surface only via a user-invoked command and has no install-time hijack or malicious chain, downgrade to warn rather than block.
Evidence
package.jsondist/cli/index.jsdist/util/claude-config.jsdist/cli/init.jsdist/config.jsdist/broker-client.jsdist/providers/enablebanking/client.jsdist/mcp/server.js.env.example~/.saldo/config.json~/.saldo/broker-device.json~/.saldo/cache.sqlite~/.saldo/cache.keyClaude Desktop claude_desktop_config.json
Network endpoints4
api.enablebanking.comsaldo-broker.up.railway.applocalhost:8888/callback127.0.0.1:{port}/mcp
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- dist/cli/index.js exposes user-invoked connect-claude/disconnect-claude commands.
- dist/util/claude-config.js writes Claude Desktop mcpServers.saldo and runs claude mcp add/remove for Claude Code.
- dist/cli/init.js can write ~/.saldo/config.json with managed broker or self-host Enable Banking credentials.
Evidence against
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
- Claude config mutation is explicit CLI action, not install-time or import-time behavior.
- MCP tools in dist/mcp/server.js are read-only account/balance/transaction queries.
- Network use is package-aligned: Enable Banking API and configured/Saldo broker.
- No eval/vm/Function, remote payload loading, credential harvesting, or broad file scanning found.
- .env.example contains placeholder PEM text, not a real secret.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading source.env.exampleView file
23patternName = private_key_rsa
severity = critical
line = 23
matchedText = EB_PRIVA...-\n"
Critical
23patternName = private_key_rsa
severity = critical
line = 23
matchedText = EB_PRIVA...-\n"
Critical
dist/providers/enablebanking/mappers.jsView file
1import { createHash } from "node:crypto";
L2: import { toMinorUnits } from "../../util/money.js";
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/providers/enablebanking/mappers.jsView on unpkg · L1Findings
2 Critical2 Medium6 Low
CriticalCritical Secret.env.example
CriticalSecret Pattern.env.example
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/providers/enablebanking/mappers.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings