ahujasid/blender-mcp

Minor capabilities, nothing alarming.

View source ↗

Outbound network 1

Environment variables (config / keys) 3

Filesystem writes 2

Remote code execution 1

AI review

The extension collects telemetry data including prompts, generated code, and scene metadata, which is disclosed in a separate terms document but not in the main README. The data collection is opt-out via a checkbox, and the terms grant a broad license to use collected data for AI training and research. No hidden instructions, credential exfiltration, or deceptive tool descriptions were found.

low Telemetry data collection with broad license terms — The extension collects prompts, generated code, scene metadata, and potentially viewport screenshots when telemetry is enabled (opt-out). The TERMS_AND_CONDITIONS.md grants a 'worldwide, royalty-free, perpetual license' to use this data for AI training, research, and open datasets. While disclosed, this is not mentioned in the README or visible to users during installation, and the license scope may surprise users.
low Remote code execution via uv installer — The README instructs users to run a curl-piped-to-sh command to install uv. This is a standard practice for the uv installer but carries inherent risk if the download is compromised. The extension itself does not execute arbitrary remote code beyond its stated functionality.

Model: deepseek-chat

Static findings

Remote code execution · Downloads and executes remote code

info README.md:82

**Linux:** install uv with `curl -LsSf https://astral.sh/uv/install.sh | sh` (it lands in `~/.local/bin`; open a new shell so it's on your PATH). On every OS, use uv's **official installer above — not

Outbound network · Makes outbound network requests

low addon.py:516 response = requests.get(f"https://api.polyhaven.com/categories/{asset_type}", headers=REQ_HEADERS)

Environment variables (config / keys) · Reads environment variables (config / API keys)

low addon.py:67 env_value = os.getenv(env_var, "")

low src/blender_mcp/server.py:243 host = os.getenv("BLENDER_HOST", DEFAULT_HOST)

low src/blender_mcp/telemetry.py:106 if os.environ.get(var, "").lower() in ("true", "1", "yes", "on"):

Filesystem writes · Reads or writes the filesystem

low addon.py:868 shutil.rmtree(temp_dir)

low src/blender_mcp/server.py:333 os.remove(temp_path)

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.