MCPVet
Low
Outbound network 3
Environment variables (config / keys) 1
AI review
This is a legitimate MCP server from the official Tavily team that provides web search, extraction, mapping, and crawling tools. It uses a standard API key pattern via environment variable or URL parameter, with no hidden instructions, deceptive tool descriptions, or data exfiltration mechanisms.
- low Standard API key usage — The API key is read from process.env.TAVILY_API_KEY and passed to the Tavily API. This is the expected authentication pattern for a search API service and does not exfiltrate credentials.
- low No hidden instructions or prompt injection — All tool descriptions and instructions in the README and source code are transparent about the extension's purpose. No attempts to manipulate the agent or inject hidden prompts were found.
- low Legitimate network dependency — The axios dependency is used solely to make HTTP requests to the Tavily API (api.tavily.com), which is consistent with the stated purpose of providing web search capabilities.
Model: deepseek-chat
Static findings
Outbound network · Makes outbound network requests
info
package-lock.json:13
"axios": "^1.6.7",
low
package.json:51
"axios": "^1.6.7",
low
src/index.ts:6
import axios from "axios";
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/index.ts:15
const API_KEY = process.env.TAVILY_API_KEY;
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.