No validation on MCP server URLs - possible SSRF / data exfil risk #45
Description
Hey, I was looking through the repo and noticed something that might be a security concern.
The .mcp.json files in each plugin just take MCP server URLs as-is without any kind of validation. There's no check for https, no allowlist, nothing stopping someone from pointing a plugin at a malicious endpoint.
Why this matters
- If someone forks this and swaps out an MCP URL, anyone who installs that fork would be sending their financial data to a random server without realizing it
- Could also be used for SSRF if the URLs aren't restricted to external hosts only
- Since this repo is targeted at financial services, the data flowing through these plugins is pretty sensitive (earnings data, portfolio info, client details etc)
What I think could help
- Some basic URL validation - at minimum enforce https and check the format
- Maybe an allowlist of known good MCP domains? The README already lists them all so it wouldn't be hard
- Print a warning if a plugin is using an MCP endpoint that's not on the approved list
- A SECURITY.md would also be nice so people know how to report stuff like this
Affected plugins
Pretty much all of them since they all use .mcp.json, but the core financial-analysis plugin is the main one since thats where the connectors live.
I'm a student so apologies if I'm missing context on whether this is handled somewhere else in the stack. Just flagging what I found from reading through the code.