Step 1
Install in your client
Config is the same across clients — only the file and path differ.
CD
Supported in Claude Desktopstdio · Node 18+
Paste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"investor-agent": {
"args": [
"-y",
"investor-agent"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Embed in your READMEAbout badges →
[](https://mcppedia.org/s/investor-agent)
Read me
What Investor Agent does
Financial research MCP server for long-term investors.
Test This Server
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Loading README…
Scored, not listed
Why this score
Five weighted categories — click any category to see the underlying evidence.
Score breakdown
64/100across 5 weighted dimensions
0255075100
22
20
12
10
−36
Security
Maintenance
Efficiency
Documentation
Compatibility
Categoriesclick a row to see evidence
Security
OSV.dev12 fixed
CVE-2026-24131medium · fixedCVSS 4
pnpm has Path Traversal via arbitrary file permission modification
### Summary When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). ### Details Vulnerable code in `pkg-manager/package-bins/src
CVE-2026-23888low · fixedCVSS 3.1
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outsid
CVE-2026-23889low · fixedCVSS 3.1
pnpm has Windows-specific tarball Path Traversal
### Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.** ### Details **1. Incomplete Path Normalization (`store/cafs/src/parseTarball.ts:107-110`)** ```typescript if (fileName.includes('./')) { fileName = path.posix.join('/'
CVE-2026-23890low · fixedCVSS 3.1
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting wit
CVE-2026-24056low · fixedCVSS 3.1
pnpm has symlink traversal in file:/git dependencies
### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affe
Community
Reviews
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
How easy was setup?Did it work reliably?How was the documentation?
Sign in to write a review.
Frequently Asked Questions
- Is Investor Agent safe to use?
- Investor Agent has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
- How do I install Investor Agent?
- Investor Agent supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
- What AI clients work with Investor Agent?
- Investor Agent is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.
- Is Investor Agent actively maintained?
- Investor Agent is actively maintained — last commit was 3 days ago. It has 328 GitHub stars.
Related
Similar servers
Others in finance
A
Alpha Vantage Mcp93Real-time financial market data: stocks, forex, crypto, commodities, and economic indicators
147 3
I
io.github.xkumakichi/xaip-mcp-server92AI agents get on-chain identity, credentials, reputation, escrow, and persistent memory on XRPL.
8
Actual Mcp90Model Context Protocol for Actual Budget API
141 22
I
io.github.imbenrabi/financial-modeling-prep-mcp-server90MCP server for Financial Modeling Prep API with 250+ financial data tools
131 5
MCP Security Weekly
Get CVE alerts and security updates for Investor Agent and similar servers.
Community
Discussion
Start a conversation
Ask a question, share a tip, or report an issue.
Has anyone used this with Cursor?How do you handle auth?Any alternatives?
Sign in to join the discussion.