MCPVet
Low
github · 13 files analyzed
xing5/mcp-google-sheets
Minor capabilities, nothing alarming.
View source ↗Check your own MCP server
Free · no signup · instant shareable report.
Environment variables (config / keys) 3
Remote code execution 2
AI review
The extension uses a standard remote installation script for `uv` (astral.sh) which is a common practice, and accesses environment variables for credentials as expected for Google Sheets integration. The skill file defines a local workflow for triaging GitHub issues and does not contain hidden instructions or exfiltration logic. No deceptive tool descriptions or secret exfiltration were found.
- low Remote code execution via curl pipe to sh — Both Dockerfile and README use `curl -LsSf https://astral.sh/uv/install.sh | sh` to install `uv`. This is a standard installation method for the `uv` package manager and is not inherently malicious, but it does execute code from a remote source without verification. The risk is low because astral.sh is a well-known and trusted domain in the Python ecosystem.
- low Environment variable access for credentials — The server reads `CREDENTIALS_CONFIG` from environment variables, which is expected behavior for a Google Sheets MCP server that needs authentication. The test files also access environment variables for integration test opt-in. This is standard practice and not a security concern as long as the credentials are not logged or exfiltrated.
Model: deepseek-chat
Static findings
Remote code execution · Downloads and executes remote code
info
Dockerfile:21
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
info
README.md:40
curl -LsSf https://astral.sh/uv/install.sh | sh
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/mcp_google_sheets/server.py:33
CREDENTIALS_CONFIG = os.environ.get('CREDENTIALS_CONFIG')
info
tests/test_google_integration.py:51
return os.environ.get("RUN_GOOGLE_INTEGRATION") == "1"
info
tests/test_server_unit.py:143
with patch.dict(os.environ, {"ENABLED_TOOLS": "c"}, clear=False):
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.