ICUICU
critical

@xeroapi/xero-mcp-server

v0.0.14

MCP server implementation for Xero integration

npmaasimqureshiFirst seen Feb 22, 2026

8

Total

5

Critical

2

High

1

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    186: ## Security
    187: 
>>> 188: Please do not commit your `.env` file or any sensitive credentials to version control (it is included in `.gitignore` as a safe default.)
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4: import { ensureError } from "../helpers/ensure-error.js";
    5: dotenv.config();
>>> 6: const client_id = process.env.XERO_CLIENT_ID;
    7: const client_secret = process.env.XERO_CLIENT_SECRET;
    8: const bearer_token = process.env.XERO_CLIENT_BEARER_TOKEN;
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5: dotenv.config();
    6: const client_id = process.env.XERO_CLIENT_ID;
>>> 7: const client_secret = process.env.XERO_CLIENT_SECRET;
    8: const bearer_token = process.env.XERO_CLIENT_BEARER_TOKEN;
    9: const grant_type = "client_credentials";
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6: const client_id = process.env.XERO_CLIENT_ID;
    7: const client_secret = process.env.XERO_CLIENT_SECRET;
>>> 8: const bearer_token = process.env.XERO_CLIENT_BEARER_TOKEN;
    9: const grant_type = "client_credentials";
    10: if (!bearer_token && (!client_id || !client_secret)) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    9: const grant_type = "client_credentials";
    10: if (!bearer_token && (!client_id || !client_secret)) {
>>> 11:     throw Error("Environment Variables not set - please check your .env file");
    12: }
    13: class MCPXeroClient extends XeroClient {
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���+�*'E�)�{

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���+�*'E�)�{

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical8
Feb 23, 2026critical8
Feb 22, 2026critical8