ppl-ai/modelcontextprotocol

Minor capabilities, nothing alarming.

Outbound network 3

Environment variables (config / keys) 8

AI review

This is the official Perplexity MCP server. It reads the PERPLEXITY_API_KEY from environment variables and makes outbound calls to api.perplexity.ai. There are no hidden instructions, deceptive tool descriptions, or exfiltration mechanisms. The HTTP transport security model is clearly documented with appropriate defaults (loopback-only, CORS restrictions).

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

low perplexity-ask/package.json:40 "axios": "^1.6.2",

info src/http.config.test.ts:248 const req = http.request(

low src/server.ts:38 return fetch(url, options);

Environment variables (config / keys) · Reads environment variables (config / API keys)

info src/http.config.test.ts:15 const originalEnv = { ...process.env };

low src/http.ts:191 const PERPLEXITY_API_KEY = process.env.PERPLEXITY_API_KEY;

info src/index.test.ts:140 process.env.PERPLEXITY_TIMEOUT_MS = "100";

low src/index.ts:6 const PERPLEXITY_API_KEY = process.env.PERPLEXITY_API_KEY;

low src/logger.ts:25 const level = process.env.PERPLEXITY_LOG_LEVEL?.toUpperCase();

info src/server.test.ts:64 originalEnv = { ...process.env };

low src/server.ts:14 const PERPLEXITY_API_KEY = process.env.PERPLEXITY_API_KEY;

info src/transport.test.ts:15 originalEnv = { ...process.env };

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.