xero-expenses-mcp
Verified Safeby muness
Overview
Manages Xero accounting tasks including creating invoices, bills, expenses, and expense claims, with file attachments and PKCE authentication.
Installation
npx xero-expenses-mcpEnvironment Variables
- XERO_CLIENT_ID
- XERO_CLIENT_SECRET
- XERO_REDIRECT_URI
Security Notes
The server correctly uses PKCE for OAuth, avoiding client secret exposure for desktop apps. Tokens are stored locally in the user's home directory (`~/.xero-mcp/token.json`), which relies on host file system security. File attachment functions (e.g., `readFileSync(filePath)`) take a user-provided `filePath`. While common for local tools, in a less trusted environment, this could pose a risk if malicious file paths (e.g., directory traversal) are injected without proper sanitization. No 'eval' or obvious malicious code patterns were found. Dependencies are reputable.
Similar Servers
mcp-x402
Generates X402 payment headers and looks up associated wallet addresses for internet-native payments using the Model Context Protocol.
Trackor
Provides an MCP server for tracking personal expenses, including adding, listing, summarizing, updating, and exporting data.
x402-mcp-server
Enables AI agents to pay for x402-protected database queries and API calls using USDC on the Base blockchain.
crowdit-mcp-server
Unified Model Context Protocol (MCP) server for integrating various business services and applications, designed to be interacted with by AI agents.