MCPVet
Clean
Check your own MCP server
Free · no signup · instant shareable report.
Environment variables (config / keys) 1
Filesystem writes 1
Remote code execution 1
AI review
No safety risks found. The extension is a legitimate MCP server for the Kagi search API. The curl pipe-to-sh install instruction is a common convenience pattern, not a hidden attack. The env var access and file deletion are standard operations for the stated purpose.
Model: deepseek-chat
Static findings
Remote code execution · Downloads and executes remote code
info
README.md:20
curl -LsSf https://astral.sh/uv/install.sh | sh
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/kagimcp/server.py:33
_api_key_env = os.environ.get("KAGI_API_KEY")
Filesystem writes · Reads or writes the filesystem
low
src/openapi_client/api_client.py:705
os.remove(path)
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.