Tracked packageView full profile for monarch-mcp-server

MCPSafe.io

Security pre-install checks for MCP servers.

Use with caution. Address findings before production.

Compare to another server

github · monarch-mcp-serverHEAD

Item: monarch-mcp-server
Rating: 3
Author: MCPSafe

Scanned 5/3/2026, 6:40:07 PM·Cached result·Fast Scan·45 rules·How we decide ↗

AIVSS Score

5.2/ 10

Medium

Severity Breakdown

critical

high

medium

low

MCP Server Information

Packagemonarch-mcp-server

VersionHEAD

SourceGITHUB

LicenseMIT

Publisherrobcerda

Package age10mo

Stars188

Downloads/wk—

Dependencies0

Repositoryhttps://github.com/robcerda/monarch-mcp-server

Findings

7 of 7 findings

high (2)

medium (3)

low (2)

7 findings

high (2)

AIVSS 5.2CVSS 7.3

MCP tool with a destructive-sounding name is registered without the `destructiveHint: true` annotation. Clients rely on this hint to gate user confirmation, so the model may invoke the tool silently. Add `{ annotations: { destructiveHint: true } }` (TS) or `destructive_hint=True` on the tool decorator (Python).

Evidence

"""Transaction rules tools with GraphQL queries."""

import logging
from typing import Any, Dict, List, Optional

from gql import gql

from monarch_mcp_server.app import mcp
from monarch_mcp_server.client import get_monarch_client
from monarch_mcp_server.helpers import json_success, json_error

logger = logging.getLogger(__name__)

# ---------------------------------------------------------------------------
# GraphQL constants
# ------------------------------------------------------------------

Remediation

Missing annotation: add `{ annotations: { destructiveHint: true } }` as the 4th argument to `server.tool(...)` (TS) or pass `destructive_hint=True` to the `@mcp.tool(...)` decorator (Python). readOnly-lying: remove the `readOnlyHint: true` / `read_only_hint=True` assertion, or refactor the handler so it no longer calls the destructive sink. Do not suppress with a waiver — clients rely on these hints for user-facing confirmation.

Report false positive

AIVSS 5.2CVSS 7.3

Evidence

"""Transaction management tools."""

import asyncio
import json
import logging
from datetime import datetime, timedelta
from typing import Any, Dict, List, Optional

from monarch_mcp_server.app import mcp
from monarch_mcp_server.client import get_monarch_client
from monarch_mcp_server.helpers import format_transaction, json_success, json_error

logger = logging.getLogger(__name__)


@mcp.tool()
async def get_transactions(
    limit: int = 100,
    offset: int = 0,
    start_date: Optional[str] =

Remediation

Report false positive

medium (3)

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

print("     → https://app.monarchmoney.com")
            print("  3. Copy the value for the key 'token'")
            print("     (Alternatively: DevTools → Network tab, filter any request,")
            print("      look for 'Authorization: Token <value>' in request headers)")
            token = getpass.getpass("\nPaste your session token: ").strip()
            if not token:
                print("❌ No token provided. Exiting.")

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Report false positive

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

print("  2. Open DevTools (F12) → Application tab → Local Storage")
            print("     → https://app.monarchmoney.com")
            print("  3. Copy the value for the key 'token'")
            print("     (Alternatively: DevTools → Network tab, filter any request,")
            print("      look for 'Authorization: Token <value>' in request headers)")
            token = getpass.getpass("\nPaste your session token: ").strip()
            if not token:

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Report false positive

AIVSS 2.8CVSS 3.5

Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure — useful recon for attackers.

Evidence

return status
    except Exception as e:
        return f"Error checking auth status: {str(e)}"


@mcp.tool()

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Report false positive

low (2)

AIVSS 0.5CVSS 1.0

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

Evidence

# The fail backend means no real backend was found
        from keyrings.alt import file as _  # noqa: F401 – probe import
        # If we get here, keyrings.alt is installed but may be the only option.
        # Fall through and check the backend name.
    except ImportError:
        pass

    try:
        import keyring

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Report false positive

AIVSS 0.5CVSS 1.0

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

Evidence

try:
                import keyring
                keyring.delete_password(KEYRING_SERVICE, KEYRING_USERNAME)
                logger.info("🗑️ Token deleted from keyring")
            except Exception:
                pass

        # Always try file cleanup too
        self._delete_token_file()

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Report false positive

LLM summary— monarch-mcp-server:HEAD

This package has a moderate security risk with a C grade and a safety score of 86, primarily due to two high-severity issues—likely related to ANSI escape injection and behavioral mismatches—that could expose your system to unexpected behavior or code execution. While no critical vulnerabilities were found, the three medium-severity findings (including verbose errors and readiness concerns) suggest potential stability or debugging risks that may require extra caution during integration.

Signal scores

Static100

CVE check100

Publisher identity50

Permissions100

Supply chain88

Typosquat100

Package health75

Community82

Secrets & exfil100

Injection risks84

Destructive ops60

LLM judge panel

CVE check

No known CVEs found for this package or its dependencies.

Community trust

No community reports

Security policy: Not found
Advisories: 0

Scan details

Total findings: 7
Affected tools: 2 / 3
Scan type: Fast Scan
Rules run: 45
LLM consensus score: N/A
Scanned: 54d ago
Source: GITHUB

Tool heatmap

get_transaction_rules

hMCP tool with a destructive-sounding name is registered without the `destructiveHint: true` annotation. Clients rely on this hint to gate user confirmation, so the model may invoke the tool silently. Add `{ annotations: { destructiveHint: true } }` (TS) or `destructive_hint=True` on the tool decorator (Python).

get_transactions

hMCP tool with a destructive-sounding name is registered without the `destructiveHint: true` annotation. Clients rely on this hint to gate user confirmation, so the model may invoke the tool silently. Add `{ annotations: { destructiveHint: true } }` (TS) or `destructive_hint=True` on the tool decorator (Python).

MCP Server Information

Source: GITHUB
Package: monarch-mcp-server
Version: HEAD
License: MIT
Publisher: robcerda
Verified: No
Account age: 10y 3m
Added: 10 months ago
Versions: 188
Repository: https://github.com/robcerda/monarch-mcp-server
Ecosystem: GitHub
Stars: 188
Forks: 72
Open issues: 6
Dependencies: 0

financemcp-servermonarchmonarch-money

AIVSS Score

5.2/ 10Medium

Internal score: 86/100

Severity breakdown

Scan Details

Total findings7

Affected tools2 / 3

Scanned54d ago

Scan modeFAST

SourceGITHUB

Scan IDpubfast4497dabb6092b943a3ec

Want deeper analysis?

Fast scan found 7 findings using rule-based analysis. Upgrade for LLM consensus across 5 judges, AI-generated remediation, and cross-file taint analysis.

View plans Scan another package

Building your own MCP server?

Run this exact engine on your private repo — before users see it on /scan.

Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasn’t shipped yet.

See plans with Private scans How private scans stay private

7 of 7 findings

high (2)

medium (3)

low (2)

7 findings

high (2)

AIVSS 5.2CVSS 7.3

Evidence

"""Transaction rules tools with GraphQL queries."""

import logging
from typing import Any, Dict, List, Optional

from gql import gql

from monarch_mcp_server.app import mcp
from monarch_mcp_server.client import get_monarch_client
from monarch_mcp_server.helpers import json_success, json_error

logger = logging.getLogger(__name__)

# ---------------------------------------------------------------------------
# GraphQL constants
# ------------------------------------------------------------------

Remediation

Report false positive

AIVSS 5.2CVSS 7.3

Evidence

"""Transaction management tools."""

import asyncio
import json
import logging
from datetime import datetime, timedelta
from typing import Any, Dict, List, Optional

from monarch_mcp_server.app import mcp
from monarch_mcp_server.client import get_monarch_client
from monarch_mcp_server.helpers import format_transaction, json_success, json_error

logger = logging.getLogger(__name__)


@mcp.tool()
async def get_transactions(
    limit: int = 100,
    offset: int = 0,
    start_date: Optional[str] =

Remediation

Report false positive

medium (3)

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

print("     → https://app.monarchmoney.com")
            print("  3. Copy the value for the key 'token'")
            print("     (Alternatively: DevTools → Network tab, filter any request,")
            print("      look for 'Authorization: Token <value>' in request headers)")
            token = getpass.getpass("\nPaste your session token: ").strip()
            if not token:
                print("❌ No token provided. Exiting.")

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Report false positive

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

print("  2. Open DevTools (F12) → Application tab → Local Storage")
            print("     → https://app.monarchmoney.com")
            print("  3. Copy the value for the key 'token'")
            print("     (Alternatively: DevTools → Network tab, filter any request,")
            print("      look for 'Authorization: Token <value>' in request headers)")
            token = getpass.getpass("\nPaste your session token: ").strip()
            if not token:

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Report false positive

AIVSS 2.8CVSS 3.5

Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure — useful recon for attackers.

Evidence

return status
    except Exception as e:
        return f"Error checking auth status: {str(e)}"


@mcp.tool()

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Report false positive

low (2)

AIVSS 0.5CVSS 1.0

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

Evidence

# The fail backend means no real backend was found
        from keyrings.alt import file as _  # noqa: F401 – probe import
        # If we get here, keyrings.alt is installed but may be the only option.
        # Fall through and check the backend name.
    except ImportError:
        pass

    try:
        import keyring

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Report false positive

AIVSS 0.5CVSS 1.0

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

Evidence

try:
                import keyring
                keyring.delete_password(KEYRING_SERVICE, KEYRING_USERNAME)
                logger.info("🗑️ Token deleted from keyring")
            except Exception:
                pass

        # Always try file cleanup too
        self._delete_token_file()

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Report false positive

31	# The fail backend means no real backend was found
32	from keyrings.alt import file as _ # noqa: F401 – probe import
33	# If we get here, keyrings.alt is installed but may be the only option.
34	# Fall through and check the backend name.
35	except ImportError:
36	pass
37
38	try:
39	import keyring

137	try:
138	import keyring
139	keyring.delete_password(KEYRING_SERVICE, KEYRING_USERNAME)
140	logger.info("🗑️ Token deleted from keyring")
141	except Exception:
142	pass
143
144	# Always try file cleanup too
145	self._delete_token_file()

31	# The fail backend means no real backend was found
32	from keyrings.alt import file as _ # noqa: F401 – probe import
33	# If we get here, keyrings.alt is installed but may be the only option.
34	# Fall through and check the backend name.
35	except ImportError:
36	pass
37
38	try:
39	import keyring

137	try:
138	import keyring
139	keyring.delete_password(KEYRING_SERVICE, KEYRING_USERNAME)
140	logger.info("🗑️ Token deleted from keyring")
141	except Exception:
142	pass
143
144	# Always try file cleanup too
145	self._delete_token_file()

1	"""Transaction rules tools with GraphQL queries."""
2
3	import logging
4	from typing import Any, Dict, List, Optional
5
6	from gql import gql
7
8	from monarch_mcp_server.app import mcp
9	from monarch_mcp_server.client import get_monarch_client
10	from monarch_mcp_server.helpers import json_success, json_error
11
12	logger = logging.getLogger(__name__)
13
14	# ---------------------------------------------------------------------------
15	# GraphQL constants
16	# ------------------------------------------------------------------

1	"""Transaction management tools."""
2
3	import asyncio
4	import json
5	import logging
6	from datetime import datetime, timedelta
7	from typing import Any, Dict, List, Optional
8
9	from monarch_mcp_server.app import mcp
10	from monarch_mcp_server.client import get_monarch_client
11	from monarch_mcp_server.helpers import format_transaction, json_success, json_error
12
13	logger = logging.getLogger(__name__)
14
15
16	@mcp.tool()
17	async def get_transactions(
18	limit: int = 100,
19	offset: int = 0,
20	start_date: Optional[str] =

76	print(" → https://app.monarchmoney.com")
77	print(" 3. Copy the value for the key 'token'")
78	print(" (Alternatively: DevTools → Network tab, filter any request,")
79	print(" look for 'Authorization: Token <value>' in request headers)")
80	token = getpass.getpass("\nPaste your session token: ").strip()
81	if not token:
82	print("❌ No token provided. Exiting.")

75	print(" 2. Open DevTools (F12) → Application tab → Local Storage")
76	print(" → https://app.monarchmoney.com")
77	print(" 3. Copy the value for the key 'token'")
78	print(" (Alternatively: DevTools → Network tab, filter any request,")
79	print(" look for 'Authorization: Token <value>' in request headers)")
80	token = getpass.getpass("\nPaste your session token: ").strip()
81	if not token:

79	return status
80	except Exception as e:
81	return f"Error checking auth status: {str(e)}"
82
83
84	@mcp.tool()