MCPVet
Clean
Outbound network 11
Environment variables (config / keys) 19
Sensitive credential files 4
AI review
No real safety risk found. The flagged items are standard environment variable usage in a Node.js application, test files with path traversal examples (which are tests, not exploitable), and a CI workflow that configures a private npm registry. All are consistent with the extension's stated purpose of providing Neon database management tools.
Model: deepseek-chat
Static findings
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
.agents/skills/logging-best-practices/rules/context.md:124
commit_hash: process.env.COMMIT_SHA || process.env.GIT_COMMIT,
low
.agents/skills/logging-best-practices/rules/structure.md:23
level: process.env.LOG_LEVEL || 'info',
low
landing/app/api/[transport]/route.ts:217
environment: (process.env.NODE_ENV ??
info
landing/e2e/global-setup.ts:108
// BEFORE globalSetup runs. But process.env changes propagate to spawned processes.
low
landing/lib/config.ts:8
process.env.SERVER_HOST ||
low
landing/lib/oauth/cookies.ts:139
secure: process.env.NODE_ENV === 'production',
info
landing/mcp-src/__tests__/refresh-concurrency.bench.test.ts:292
process.env.KV_URL = 'redis://test';
info
landing/mcp-src/__tests__/refresh-lock.test.ts:41
process.env.KV_URL = 'redis://test';
info
landing/mcp-src/__tests__/route-session-binding.integration.test.ts:97
process.env.KV_URL = 'redis://localhost:6379';
info
landing/mcp-src/__tests__/route-sse-binding.test.ts:147
process.env.KV_URL = 'redis://localhost:6379';
info
landing/mcp-src/__tests__/session-binding.integration.test.ts:9
const REDIS_URL = process.env.REDIS_URL || process.env.KV_URL;
info
landing/mcp-src/__tests__/session-binding.test.ts:158
process.env.KV_URL = 'redis://localhost:6379';
+ 7 more
Sensitive credential files · Reads sensitive credential files
info
.github/workflows/pr.yml:35
printf 'save-exact=true\nshamefully-hoist=true\nregistry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/\n' > .npmrc
info
CLAUDE.md:15
> **Troubleshooting:** If `pnpm install` fails with registry or network errors, check whether your npm registry is configured to use the Databricks proxy. Set the registry in `~/.npmrc` or `landing/.n
info
landing/mcp-src/__tests__/docs-tools.test.ts:180
params: { slug: '../../../etc/passwd' },
info
landing/mcp-src/__tests__/neon-auth-config.test.ts:74
['file scheme', 'file:///etc/passwd'],
Outbound network · Makes outbound network requests
low
landing/lib/oauth/client.ts:191
return globalThis.fetch(input, init);
info
landing/mcp-src/__tests__/helpers/neon-auth-mocks.ts:43
// (axios 404) should override this mock with `mockRejectedValue` of a
info
landing/mcp-src/__tests__/neon-auth-provision.test.ts:2
import { AxiosError } from 'axios';
low
landing/mcp-src/server/account.ts:2
import { isAxiosError } from 'axios';
low
landing/mcp-src/server/errors.ts:1
import { isAxiosError } from 'axios';
low
landing/mcp-src/tools/handlers/docs.ts:11
const response = await fetch(NEON_DOCS_INDEX_URL, {
info
landing/mcp-src/tools/handlers/neon-auth-config.ts:511
// In practice axios's default validateStatus rejects 4xx/5xx as
low
landing/mcp-src/tools/handlers/neon-auth-settings-snapshot.ts:10
import { isAxiosError } from 'axios';
low
landing/mcp-src/tools/handlers/neon-auth.ts:3
import { isAxiosError } from 'axios';
low
landing/package.json:37
"axios": "1.13.6",
info
landing/pnpm-lock.yaml:32
axios:
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.