Local implementation of the Model Context Protocol (MCP) server for simulating financial‑data interactions. It is intended for developers who need a secure, simplified environment for testing applications without connecting to live financial systems or user data.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"finance-personal-assistant": {
"args": [
"mcp"
],
"command": "uvx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
This project provides a lightweight, local implementation of the Model Context Protocol (MCP) server for simulating financial‑data interactions. It is intended for developers who need a secure, simplified environment for testing applications without connecting to live financial systems or user data.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
MCP Python SDK: WebSocket server transport does not support Host/Origin validation
### Summary In affected versions, the deprecated WebSocket server transport (`mcp.server.websocket.websocket_server`) accepted the WebSocket handshake without applying any `Host` or `Origin` header validation. The `TransportSecuritySettings` mechanism that the SSE and Streamable HTTP transports use for this purpose was not wired into the WebSocket transport, so there was no SDK-level way to restrict which origins could connect. ### Am I affected? Only if a developer's application server exposes
MCP Python SDK: HTTP transports serve session requests without verifying the authenticated principal
### Summary In affected versions, the SSE and Streamable HTTP server transports routed incoming requests to an existing session based only on the session identifier, without verifying that the request was authenticated as the same principal that created the session. Anyone who learned or guessed a session ID could send JSON-RPC messages on that session, regardless of which bearer token the request carried. ### Am I affected? Only if a developer's application server uses an HTTP transport (SSE,
MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks
### Summary In affected versions, the default request handlers installed by the experimental tasks feature (`server.experimental.enable_tasks()`) did not check which session created a task before acting on it. On a server with more than one connected client, any client could observe, read results from, and cancel tasks belonging to other clients. ### Am I affected? Only if the developer's application server calls `server.experimental.enable_tasks()`. If `grep -r enable_tasks` over their codebas
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default
### Description The Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using `FastMCP` with streamable HTTP or SSE transport, and has not configured `TransportSecuritySettings`, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or ac
MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
A validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Thank you to Rich Harang for reporting this issue.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in finance
Let AI agents create, discover, and track tokens across chains via Printr.
Real-time financial market data: stocks, forex, crypto, commodities, and economic indicators
Swiss accounting integration for Bexio. 310 tools for invoices, contacts, projects.
Brazilian public procurement (PNCP) and Federal Revenue CNPJ data — 16 tools, 4 prompts.
MCP Security Weekly
Get CVE alerts and security updates for Finance Personal Assistant and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
This project provides a lightweight, local implementation of the Model Context Protocol (MCP) server for simulating financial‑data interactions. It is intended for developers who need a secure, simplified environment for testing applications without connecting to live financial systems or user data.
See README_UI for UI guide
| Capability | Description |
|---|---|
| Dummy Authentication | Login succeeds if the phone number exists as a directory in test_data_dir/. |
| Pre‑canned Financial Data | Static JSON files for net‑worth, credit report, bank & MF transactions, EPF. |
| Plug‑and‑Play Tools | Each JSON dataset is exposed as an MCP tool (see list below). |
| Quick setup | Zero external integrations—just clone, install, run. |
.
├── main_mcp.py # MCP server implementation (Python)
└── test_data_dir # Dummy data grouped by phone number
├── 1111111111
│ ├── fetch_net_worth.json
│ └── ...
└── 2222222222
├── fetch_credit_report.json
└── ...
pip install mcp mcp-inspector
python main_mcp.py
The server runs using stdio transport by default.
test_data_dir/.1111111111, 2222222222, 3333333333, … (see folders).| Tool Name | Purpose |
|---|---|
authenticate_user | Dummy login check |
fetch_net_worth | Net‑worth summary + assets/liabilities |
fetch_credit_report | Credit score & account details |
fetch_bank_transactions | Full bank‑statement style transaction list |
fetch_epf_details | EPF balance & employment history |
fetch_mf_transactions | Mutual‑fund buy/sell history |
All tools accept phone_number as their sole argument.
FastMCP ships with a lightweight developer UI that lets you explore any local MCP server, run tools, and inspect raw responses—all from the browser.
pip install fastmcp
From your project root:
fastmcp dev main_mcp.py
⚙️ This spins up main_mcp.py and the web UI in one command.
Already registered the server in mcp_servers.json? Simply run:
fastmcp dev
FastMCP will auto‑detect local-financial-mcp and start it.
The UI opens at http://localhost:4400 where you can:

2222222222).fetch_net_worth, fetch_credit_report, etc.The Dev UI acts purely as a client—you can keep it open while calling the same server from Langflow or the FastMCP CLI.
If you want another FastMCP‑aware application (or CLI) to auto‑launch this mock server, add the following stanza to its mcp_servers.json (or similar) file:
{
"servers": {
"local-financial-mcp": {
"transport": "stdio", // or "sse" if you expose an HTTP endpoint
"command": "python",
"args": ["main_mcp.py"],
"cwd": "<
... [View full README on GitHub](https://github.com/beprith/Finance-personal-assistant#readme)