MCPVet
Low
Outbound network 5
Environment variables (config / keys) 5
AI review
This is a legitimate MCP server for the Hyperbrowser web scraping and browser automation service. It reads the HYPERBROWSER_API_KEY from environment variables to authenticate with the Hyperbrowser API, which is expected behavior. No hidden instructions, deceptive tool descriptions, or data exfiltration mechanisms were found.
Model: deepseek-chat
Static findings
Outbound network · Makes outbound network requests
info
package-lock.json:15
"axios": "^1.8.3",
low
package.json:29
"axios": "^1.8.3",
low
src/resources/dynamic/parse-resources.ts:1
import axios from "axios";
low
src/transports/sse.ts:2
import axios from "axios";
low
src/utils.ts:46
const response = await fetch(imageUrl);
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
scripts/generate_statics.ts:4
const API_KEY: string = process.env.HYPERBROWSER_API_KEY ?? "";
low
scripts/summarize_statics.ts:17
apiKey: process.env.OPENAI_API_KEY,
low
src/resources/static/data/summarized.json:5
"markdown": "Welcome to Hyperbrowser \\| Hyperbrowser\n\n![Page cover image](https://docs.hyperbrowser.ai/~gitbook/image?url=https%3A%2F%2F4095930873-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-
low
src/server.ts:11
const SSE_PORT = process.env.SSE_PORT || 3001;
low
src/utils.ts:8
hbApiKey || process.env.HB_API_KEY || process.env.HYPERBROWSER_API_KEY;
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.