expensify-heist-mcp
Verified Safeby maguerrieri
Overview
Automates fetching and parsing Expensify CSV exports via Safari web automation on macOS, and can convert them to YNAB transaction format.
Installation
expensify-heist-mcpSecurity Notes
The server uses AppleScript to control Safari and inject JavaScript for web automation. The JavaScript snippets are hardcoded in `heist.py` to interact with expensify.com for login and report export. While this provides powerful control over the browser, the specific hardcoded actions appear benign. `subprocess.run` is used for AppleScript execution, which is a direct command execution. There are no clear indications of arbitrary code execution from untrusted input (e.g., `eval` on user-controlled data) or hardcoded secrets. Requires explicit macOS automation permissions, which acts as a user-controlled gate. A significant discrepancy exists between the provided source code (expensify-heist-mcp, using Safari) and the provided README (expensify-mail-mcp, describing Mail.app automation), which might cause confusion regarding its operational mechanism.
Similar Servers
mcp
This server provides Hyperbrowser's Model Context Protocol (MCP) interface, offering tools for web scraping, structured data extraction, crawling, and general-purpose browser automation using AI agents like OpenAI's CUA and Anthropic's Claude Computer Use.
headless-browser-tool
This project provides a Ruby-based tool for automating web interactions using a headless browser, potentially integrated with an AI or automation orchestration system.
MCP-server-client-computer-use-ai-sdk
Provides an AI-driven interface to control a macOS computer by automating tasks through accessibility features and a conversational agent loop.
mcp-browser
Provides browser control (navigation, DOM interaction) and console log capture for AI coding assistants via a local MCP server, with a browser extension and macOS AppleScript as primary control mechanisms.