Coding-Solo/godot-mcp

Minor capabilities, nothing alarming.

View source ↗

Check your own MCP server

Free · no signup · instant shareable report.

Outbound network 2

Environment variables (config / keys) 1

Shell / command execution 1

AI review

The extension uses axios for HTTP requests and child_process for executing commands, which are expected for its stated purpose of launching Godot and capturing debug output. No hidden instructions, prompt injection, or data exfiltration mechanisms were found. The DEBUG environment variable access is standard and not a security concern.

low Use of axios for network requests — axios is included as a dependency, which could be used to make outbound HTTP requests. However, this is a common library and the extension's purpose (launching Godot, capturing output) does not inherently require network access. No evidence of misuse was found in the provided code.
low Use of child_process for command execution — The extension imports spawn and execFile from child_process, which is expected for launching the Godot editor and running projects. This is consistent with the stated purpose and not inherently malicious.
low Environment variable access for DEBUG mode — The extension reads process.env.DEBUG to enable debug mode. This is a standard practice for development and does not expose sensitive data or pose a security risk.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

info package-lock.json:13 "axios": "^1.7.9",

low package.json:37 "axios": "^1.7.9",

Shell / command execution · Executes shell / system commands

medium src/index.ts:13 import { spawn, execFile } from 'child_process';

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/index.ts:26 const DEBUG_MODE: boolean = process.env.DEBUG === 'true';

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.