tevonsb/homeassistant-mcp

Minor capabilities, nothing alarming.

View source ↗

Check your own MCP server

Free · no signup · instant shareable report.

Outbound network 4

Environment variables (config / keys) 13

Shell / command execution 1

AI review

This extension is a legitimate MCP server for Home Assistant integration. All network connections, environment variable accesses, and command executions are standard for this type of home automation bridge and match the stated purpose. No hidden instructions, prompt injection vectors, or data exfiltration mechanisms were found.

low Standard Home Assistant integration patterns — The code accesses environment variables (HASS_HOST, HASS_TOKEN, NODE_ENV) and establishes WebSocket connections to local Home Assistant instances, which is expected behavior for a Home Assistant MCP server. The exec() call in the macOS integration file is for legitimate platform-specific functionality. All network connections target localhost or user-configured Home Assistant URLs.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

info README.md:529 const ws = new WebSocket('ws://localhost:3000/ws');

info docs/API.md:327 const ws = new WebSocket('ws://your-server/api/websocket');

low src/hass/index.ts:189 this.ws = new WebSocket(this.url);

low src/websocket/client.ts:30 this.ws = new WebSocket(this.url);

Environment variables (config / keys) · Reads environment variables (config / API keys)

info __tests__/hass/hass.test.ts:55 const originalEnv = { ...process.env };

info __tests__/hass/index.test.ts:229 const originalEnv = process.env;

info __tests__/index.test.ts:7 const TEST_HASS_HOST = process.env.TEST_HASS_HOST || 'http://localhost:8123';

info __tests__/security/index.test.ts:161 const originalEnv = process.env.NODE_ENV;

info __tests__/security/middleware.test.ts:168 const originalEnv = process.env.NODE_ENV;

low jest.setup.cjs:26 process.env.HASS_URL = 'http://localhost:8123';

low jest.setup.js:4 process.env.HASS_URL = 'http://localhost:8123';

low jest.setup.ts:9 process.env.NODE_ENV = 'test';

low src/config/hass.config.ts:7 BASE_URL: process.env.HASS_HOST || 'http://homeassistant.local:8123',

info src/hass/index.ts:100 // Directly return the default value or use process.env

low src/index.ts:11 const envFile = process.env.NODE_ENV === 'production'

low src/security/index.ts:176 message: process.env.NODE_ENV === 'development' ? err.message : undefined

+ 1 more

Shell / command execution · Executes shell / system commands

medium src/platforms/macos/integration.ts:1 import { exec } from 'child_process';

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.