MCPVet
Clean
Outbound network 6
Environment variables (config / keys) 4
AI review
This extension is a legitimate MCP server for interacting with Obsidian via its Local REST API. It reads the API key from environment variables and makes HTTP requests to a local Obsidian instance, which is expected behavior. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.
- low Environment variable usage for API key — The extension reads OBSIDIAN_API_KEY from environment variables, which is standard and necessary for authenticating with the Obsidian REST API. The key is only sent to the local Obsidian instance, not to any external service.
- low Network requests to localhost only — All HTTP requests are made to the configured OBSIDIAN_HOST (default 127.0.0.1) and OBSIDIAN_PORT (default 27124), which is the local Obsidian REST API plugin. No external network calls are made.
Model: deepseek-chat
Static findings
Outbound network · Makes outbound network requests
low
src/mcp_obsidian/obsidian.py:59
response = requests.get(url, headers=self._get_headers(), verify=self.verify_ssl, timeout=self.timeout)
info
tests/test_get_frontmatter.py:30
with patch("mcp_obsidian.obsidian.requests.get", return_value=_note_json_response()) as mock_get:
info
tests/test_obsidian_put_content.py:21
with patch("mcp_obsidian.obsidian.requests.put", return_value=_ok_response()) as mock_put, \
info
tests/test_obsidian_requests.py:89
with patch("mcp_obsidian.obsidian.requests.get", return_value=_json_response({"files": ["a.md"]})) as mock_get:
info
tests/test_obsidian_utf8.py:23
with patch("mcp_obsidian.obsidian.requests.post", return_value=_ok_response()) as mock_post:
info
tests/test_search_by_tag.py:23
with patch("mcp_obsidian.obsidian.requests.post", return_value=resp) as mock_post:
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/mcp_obsidian/obsidian.py:11
protocol: str = os.getenv('OBSIDIAN_PROTOCOL', 'https').lower(),
low
src/mcp_obsidian/server.py:26
api_key = os.getenv("OBSIDIAN_API_KEY")
low
src/mcp_obsidian/tools.py:12
api_key = os.getenv("OBSIDIAN_API_KEY", "")
info
tests/conftest.py:4
os.environ.setdefault("OBSIDIAN_API_KEY", "test-key")
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.