MCPVet
← Scan another
Medium
github · 151 files analyzed

PostHog/mcp

Powerful capabilities — review before trusting.

View source ↗
Outbound network 9
Environment variables (config / keys) 6
Shell / command execution 1

AI review

This is a legitimate PostHog MCP server implementation that provides analytics tools to AI agents. All API key usage follows standard authentication patterns and is scoped to PostHog's own API. No hidden instructions, deceptive tool descriptions, or data exfiltration mechanisms were found.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

info examples/ai-sdk/package-lock.json:262 "../../typescript/node_modules/axios": {
info examples/langchain-js/package-lock.json:866 "axios": "*",
info typescript/pnpm-lock.yaml:47 version: 0.3.31(@langchain/[email protected](@opentelemetry/[email protected])([email protected]([email protected])([email protected])))(@opentelemetry/[email protected])([email protected])([email protected]([email protected])([email protected]))([email protected])
low typescript/scripts/update-openapi-client.ts:14 const response = await fetch(SCHEMA_URL);
low typescript/src/api/client.ts:118 const response = await fetch(url, {
low typescript/src/api/fetcher.ts:35 const response = await fetch(input.url, {
low typescript/src/integrations/mcp/index.ts:260 async fetch(request: Request, env: Env, ctx: ExecutionContext) {
low typescript/src/lib/utils/api.ts:10 const response = await fetch(url, {
low typescript/worker-configuration.d.ts:217 fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;

Environment variables (config / keys) · Reads environment variables (config / API keys)

info examples/ai-sdk/src/index.ts:10 posthogPersonalApiKey: process.env.POSTHOG_PERSONAL_API_KEY!,
info examples/langchain-js/src/index.ts:11 posthogPersonalApiKey: process.env.POSTHOG_PERSONAL_API_KEY!,
info examples/langchain/posthog_agent_example.py:27 personal_api_key=os.getenv("POSTHOG_PERSONAL_API_KEY"),
info typescript/README.md:23 posthogPersonalApiKey: process.env.POSTHOG_PERSONAL_API_KEY!,
info typescript/tests/api/client.integration.test.ts:5 const API_BASE_URL = process.env.TEST_POSTHOG_API_BASE_URL || "http://localhost:8010";
info typescript/tests/shared/test-utils.ts:9 export const API_BASE_URL = process.env.TEST_POSTHOG_API_BASE_URL || "http://localhost:8010";

Shell / command execution · Executes shell / system commands

medium typescript/scripts/update-openapi-client.ts:3 import { execSync } from "node:child_process";

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.