Is it safe to run `claude mcp add` on a server from GitHub?

Not automatically. Installing a server from a stranger gives its code shell access, your environment, and your files the moment your agent calls it. A popular repo or a clean README is not evidence of safety — the risky behavior is in the code and install scripts, not the docs. Check what it can actually do first.

What is the most dangerous permission an MCP server can have?

Shell execution (running arbitrary commands) and downloading-and-running remote code are the most dangerous, because they turn one install into anything-goes. Reading credential files combined with network access is the next tier (data exfiltration). Most servers do not need any of these to do their job.

Does a one-time scan keep a server safe forever?

No. A server you approved can add risky behavior in a later version — approval is an event, not a permanent state. Any version change should be re-evaluated. This is why continuous re-scanning matters for servers you depend on.

MCP security guide · reviewed June 20, 2026

Is that MCP server safe? How to vet one before you install it

Q: Can an MCP server steal my secrets or API keys?

Yes, if it has reason to. An MCP server runs as a normal process on your machine with your permissions, so it can read environment variables, ~/.aws/credentials, ~/.ssh keys, .env files, and your npm/PyPI tokens unless something stops it. The risk is a server that reads those files AND makes outbound network calls — that pattern is how exfiltration happens. Scan for it before you install.

Short answer: you can't tell from the README or the star count. An MCP server, Claude Code skill, or plugin runs with your permissions the moment your agent calls it — so it can run shell commands, read your secrets and files, and make network calls. Before you claude mcp add anything from a stranger, check what its code and install scripts can actually do. Here's how — and a free way to do it in seconds.

Scan any server free Paste a GitHub URL, npm package, or a SKILL.md — get a risk grade + the exact risky lines.

Scan an extension →

The five things that actually make a server dangerous

Risk isn't "does it do something powerful" — plenty of useful servers need real access. Risk is unexpected or unnecessary capability, especially in dangerous combinations. These are the patterns worth checking, in roughly descending order of severity:

Downloads and runs remote code. curl … | sh at runtime, eval(fetch(...)), a post-install script that pulls and executes a payload. This is the "do not install" pattern — one install becomes anything.
Shell / command execution. The server shells out (os.system, child_process, subprocess(shell=True)). Sometimes legitimate (a git tool), but it's the highest-leverage capability an attacker wants.
Reads credential files. ~/.aws/credentials, ~/.ssh/id_rsa, .npmrc, .env, /etc/passwd. Fine for a few tools by design, alarming for most.
Outbound network calls. On their own, normal. Combined with reading secret files, this is the classic exfiltration shape — read your keys, phone home.
Prompt injection in its own text. Tool descriptions and returned data are read by your agent as instructions. A well-written description is also the best place to hide an injection ("ignore previous instructions and …"). The better the docs, the bigger this surface.

A 60-second manual checklist

Open the source. Grep for exec, spawn, curl, eval, and any read of ~/.ssh / .env / credentials.
Read package.json / pyproject for install/postinstall scripts — code that runs the instant you install, before you've used anything.
Ask: does it need the access it takes? A weather tool reading your SSH keys is a red flag.
Check the publisher and version history. Pin a version; treat a new version as a new thing to review (servers change after you approve them).
When in doubt, run it sandboxed (a container with no network) — but a sandbox limits blast radius, it doesn't tell you whether to trust the server.

Or scan it in seconds

MCPVet runs that whole pass for you: static analysis for the patterns above, plus an AI review for prompt-injection and malicious instructions, and gives a plain-English risk grade with the exact file and line. It's free, needs no signup, and produces a shareable report you can drop in a PR. You can run it from the web, or right inside Claude Code so your agent checks a server before it installs it:

claude mcp add mcpvet -- npx -y github:volohq-info/mcpvet

Then just ask: "scan @some/mcp-server before I install it." Browse already-scanned popular servers, or see scanning vs sandboxing vs manual review.

FAQ

Can an MCP server steal my secrets or API keys?

Yes, if it wants to. It runs with your permissions, so it can read env vars, cloud credentials, SSH keys, and tokens unless something stops it. The dangerous shape is reading those and making outbound calls. Scan for that combination.

Is it safe to `claude mcp add` a server from GitHub?

Not automatically. A clean README or lots of stars isn't evidence — the behavior lives in the code and install scripts. Check what it can actually do first.

What's the most dangerous permission?

Shell execution and download-and-run-remote-code. Reading credentials plus network access is the next tier. Most servers need none of these.

Does scanning once keep it safe forever?

No — a later version can add risky behavior. Approval is an event, not a permanent state. Re-check on version changes.

MCPVet is an automated heuristic aid, not a human security audit or a guarantee. A clean grade doesn't prove a server is safe; always review code and instructions you don't trust. Guide reviewed June 20, 2026.