tsmztech/mcp-server-salesforce

Minor capabilities, nothing alarming.

View source ↗

Check your own MCP server

Free · no signup · instant shareable report.

Environment variables (config / keys) 1

Shell / command execution 1

AI review

The extension imports `child_process.exec` which could be used for command execution, but it is not actually invoked in the code shown. The environment variable access is expected for Salesforce authentication. No hidden instructions or data exfiltration mechanisms were found.

low Unused import of child_process.exec — src/utils/connection.ts imports `exec` from `child_process` but the provided code does not show any usage. This could be dead code or a potential vector if later modified. Developers should verify it is not used for arbitrary command execution.

Model: deepseek-chat

Static findings

Shell / command execution · Executes shell / system commands

medium src/utils/connection.ts:5 import { exec } from 'child_process';

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/utils/connection.ts:78 (process.env.SALESFORCE_CONNECTION_TYPE as ConnectionType) ||

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.