ai.smithery/CollectiveSpend-collectivespend-smithery-mcp

7.0

Connect CollectiveSpend with Xero to manage contacts. Retrieve, create, and update contact records…

streamable-httpai-ml

Installation

Claude Desktop config (remote)

{
  "mcpServers": {
    "ai-smithery-collectivespend-collectivespend-smithery-mcp": {
      "type": "streamable-http",
      "url": "https://server.smithery.ai/@CollectiveSpend/collectivespend-smithery-mcp/mcp"
    }
  }
}

Cursor config

{
  "mcpServers": {
    "ai-smithery-collectivespend-collectivespend-smithery-mcp": {
      "url": "https://server.smithery.ai/@CollectiveSpend/collectivespend-smithery-mcp/mcp"
    }
  }
}

Security Report

Score Breakdown

Description10

Permissions10

Behavior4

Stability--

Findings (7)

high

vague-description

Incomplete and Vague Server Description

The description is truncated mid-sentence ('...') and doesn't clearly explain the server's full purpose, capabilities, or scope. It mentions 'CollectiveSpend' and 'Xero' integration for contact management but lacks detail about what operations are actually supported.

high

network-access

Remote HTTP Endpoint Without Visible Authentication

Server uses streamable-http transport with a remote URL (https://server.smithery.ai/...), meaning it accepts connections from the internet. No authentication mechanism is documented, creating exposure risk.

high

excessive-scope

Broad Financial/Contact Data Access Claims

Server claims to manage contacts in both CollectiveSpend and Xero (accounting software), implying access to financial and personal data. The scope of what 'manage' means (create, update, delete, export?) is unclear.

medium

credential-input

No Repository or Source Code Available

No repository URL provided. Cannot verify the server's code, security practices, or actual implementation. This is a significant trust gap for a server handling financial/contact data.

medium

vague-description

Tool Definitions Not Available for Review

Tools were not fetched from the server, preventing analysis of input validation, permission boundaries, and potential injection vulnerabilities. For a server claiming data management capabilities, this is a critical gap.

low

vague-description

Unclear Server Identity and Authorship

Server name references 'CollectiveSpend' but it's unclear if this is an official integration, a third-party wrapper, or a community project. No author information or trust signals provided.

info

vague-description

Semantic Analysis Summary

This server presents moderate-to-high risk due to remote HTTP exposure without documented authentication, vague/incomplete description, and claims of broad financial and contact data access without source code verification. The inability to review tool definitions prevents full security assessment. Recommend obtaining source code, clarifying authentication mechanisms, and reviewing actual tool implementations before deployment.

Last scanned 1h ago

Details

Version: 1.0.0
Transport: streamable-http
Capabilities