mongodb-js/mongodb-mcp-server

Powerful capabilities — review before trusting.

View source ↗

Outbound network 1

Environment variables (config / keys) 10

Filesystem writes 1

Shell / command execution 6

AI review

This is a legitimate MongoDB MCP server with no deceptive or malicious intent. The code accesses environment variables and executes shell commands only in build/test scripts, which is standard for a Node.js project. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

low MCP_SERVER_LIBRARY.md:285 production: process.env.MONGODB_PRODUCTION_URI,

low scripts/accuracy/generateTestSummary.ts:246 const { GITHUB_SERVER_URL, GITHUB_REPOSITORY, GITHUB_RUN_ID } = process.env;

low scripts/accuracy/updateAccuracyRunStatus.ts:5 const envAccuracyRunId = process.env.MDB_ACCURACY_RUN_ID;

info scripts/cleanupAtlasTestLeftovers.test.ts:146 baseUrl: process.env.MDB_MCP_API_BASE_URL || "https://cloud-dev.mongodb.com",

low scripts/generate-release-notes.ts:26 const GROVE_API_KEY = process.env["GROVE_API_KEY"];

low scripts/generate/generateArguments.ts:239 serverJson.version = process.env.VERSION || version;

low src/common/config/configUtils.ts:44 ? path.join(process.env.LOCALAPPDATA || process.env.APPDATA || os.homedir(), "mongodb")

low src/helpers/container.ts:15 if (process.env.container) {

low src/setup/aiTool.ts:53 return process.env.APPDATA || path.join(os.homedir(), "AppData", "Roaming");

low src/telemetry/telemetry.ts:240 if (typeof process === "undefined" || !process.env) {

Shell / command execution · Executes shell / system commands

medium scripts/createMcpb.ts:9 import { spawn } from "node:child_process";

medium scripts/generate-release-notes.ts:6 import { execFileSync } from "child_process";

medium scripts/generate/generateArguments.ts:13 import { execSync } from "child_process";

medium scripts/generate/generateUI.ts:8 import { execSync } from "child_process";

medium src/setup/aiTool.ts:6 import { exec } from "child_process";

medium src/setup/installSkills.ts:2 import { spawn } from "node:child_process";

Outbound network · Makes outbound network requests

low src/common/atlas/apiClient.ts:152 const response = await fetch(url, {

Filesystem writes · Reads or writes the filesystem

low src/common/exportsManager.ts:117 await fs.rm(this.exportsDirectoryPath, { force: true, recursive: true });

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.