MCPVet
High
github · 125 files analyzed
Flux159/mcp-server-kubernetes
Sensitive access patterns — review carefully.
View source ↗Outbound network 3
Environment variables (config / keys) 33
Remote code execution 1
Shell / command execution 7
AI review
This MCP server executes arbitrary kubectl and helm commands via child_process, which could allow an attacker to read, modify, or destroy Kubernetes resources. It also passes the entire process environment (including secrets like KUBECONFIG_YAML, K8S_TOKEN) to spawned commands, creating a risk of credential exfiltration if a command is compromised. The CI pipeline downloads and runs a remote shell script (get-helm-3) without verification, introducing a supply-chain risk.
- high Remote code execution in CI pipeline — In .github/workflows/ci.yml line 31, the command `curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash` downloads and executes a shell script from a remote URL without integrity checking. If the Helm repository or CDN is compromised, this could inject malicious code into the CI environment.
- high Full environment passed to subprocesses — Multiple files (e.g., exec_in_pod.ts, helm-operations.ts, kubectl-*.ts) pass `env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG }` to child processes. This exposes all environment variables, including sensitive credentials like K8S_TOKEN, KUBECONFIG_YAML, and KUBECONFIG_JSON, to any spawned kubectl or helm command. If a command is hijacked or misused, these secrets could be leaked.
- high Unrestricted kubectl flag injection — The environment variable `ALLOW_KUBECTL_UNSAFE_FLAGS` (src/security/kubectl-flags.ts:79) can enable arbitrary flags to be passed to kubectl. This could allow an attacker to bypass security controls, execute arbitrary code, or exfiltrate data via kubectl's `--exec` or `--as` flags.
- medium No input sanitization on kubectl/helm commands — The server constructs kubectl and helm commands from user-provided arguments (e.g., resource names, namespaces, flags) without sanitization. An attacker could inject additional commands or flags via crafted inputs, leading to arbitrary command execution on the host.
- low Telemetry configuration reads sensitive env vars — src/config/telemetry-config.ts reads `OTEL_TRACES_SAMPLER` from environment variables. While not directly dangerous, telemetry configuration could inadvertently expose operational details if misconfigured.
Model: deepseek-chat
Static findings
Remote code execution · Downloads and executes remote code
info
.github/workflows/ci.yml:31
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Shell / command execution · Executes shell / system commands
medium
ADVANCED_README.md:5
If you have large clusters or see a `spawnSync ENOBFUS` error, you may need to specify the environment argument `SPAWN_MAX_BUFFER` (in bytes) when running the server. See [this issue](https://github.c
medium
src/security/kubectl-flags.ts:5
} from "child_process";
info
src/tools/helm-operations.ts:152
* Execute a command using child_process.execFileSync with proper error handling.
info
src/tools/node-management.ts:106
* Execute a command using child_process.execFileSync with proper error handling.
medium
src/tools/port_forward.ts:1
import { spawn } from "child_process";
info
tests/helm.test.ts:8
import { execSync } from "child_process";
info
tests/kubectl-context.unit.test.ts:4
import { execFileSync } from "child_process";
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/config/max-buffer.ts:2
return parseInt(process.env.SPAWN_MAX_BUFFER || "1048577", 10);
low
src/config/telemetry-config.ts:31
const samplerType = process.env.OTEL_TRACES_SAMPLER;
low
src/index.ts:84
const allowOnlyReadonlyTools = process.env.ALLOW_ONLY_READONLY_TOOLS === "true";
low
src/security/kubectl-flags.ts:79
return process.env.ALLOW_KUBECTL_UNSAFE_FLAGS === "true";
low
src/tools/exec_in_pod.ts:123
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/helm-operations.ts:164
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-apply.ts:104
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-context.ts:80
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-create.ts:431
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-delete.ts:162
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-describe.ts:78
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-generic.ts:137
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
+ 21 more
Outbound network · Makes outbound network requests
info
tests/dns-rebinding.test.ts:9
/** Send a POST /mcp request with a custom Host header via http.request (fetch doesn't allow Host override). */
info
tests/sse.test.ts:153
const response = await fetch(readyUrl, {
info
tests/streaming_http.test.ts:57
const response = await fetch(readyUrl, {
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.