← Scan another

High

github · 250 files analyzed

mongodb-js/mongodb-mcp-server

Sensitive access patterns — review carefully.

View source ↗

Outbound network 1

Environment variables (config / keys) 10

Filesystem writes 1

Shell / command execution 6

Sensitive credential files 21

AI review

This is a legitimate MongoDB MCP server implementation with no deceptive or malicious code. The flagged items relate to standard development practices (environment variables for configuration, keychain for secret management, build scripts) and are not attempts to exfiltrate data or manipulate the agent. The agent instructions are purely for workflow routing and code review guidance.

low Standard environment variable usage for configuration — The code reads environment variables like MONGODB_PRODUCTION_URI, GITHUB_SERVER_URL, etc. This is expected behavior for a database connection tool that needs configuration. There is no evidence of exfiltration or sending these values to external services.
low Keychain class for credential management — The Keychain class is used for automatic secret redaction, which is a security feature to prevent credentials from appearing in logs or tool outputs. This is appropriate and beneficial for security.
low Build and test scripts with command execution — Scripts using spawn/execSync are standard for build automation, release generation, and testing. They operate on local development files and do not execute arbitrary or user-supplied commands.
low Agent instructions are legitimate workflow routing — The .github/agents/agentic-workflows.agent.md file contains routing logic for different workflow tasks (create, debug, update). This is a legitimate dispatcher pattern and contains no hidden instructions or prompt injection attempts.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

low MCP_SERVER_LIBRARY.md:285 production: process.env.MONGODB_PRODUCTION_URI,

low scripts/accuracy/generateTestSummary.ts:246 const { GITHUB_SERVER_URL, GITHUB_REPOSITORY, GITHUB_RUN_ID } = process.env;

low scripts/accuracy/updateAccuracyRunStatus.ts:5 const envAccuracyRunId = process.env.MDB_ACCURACY_RUN_ID;

info scripts/cleanupAtlasTestLeftovers.test.ts:146 baseUrl: process.env.MDB_MCP_API_BASE_URL || "https://cloud-dev.mongodb.com",

low scripts/generate-release-notes.ts:26 const GROVE_API_KEY = process.env["GROVE_API_KEY"];

low scripts/generate/generateArguments.ts:239 serverJson.version = process.env.VERSION || version;

low src/common/config/configUtils.ts:44 ? path.join(process.env.LOCALAPPDATA || process.env.APPDATA || os.homedir(), "mongodb")

low src/helpers/container.ts:15 if (process.env.container) {

low src/setup/aiTool.ts:53 return process.env.APPDATA || path.join(os.homedir(), "AppData", "Roaming");

low src/telemetry/telemetry.ts:240 if (typeof process === "undefined" || !process.env) {

Sensitive credential files · Reads sensitive credential files

info MCP_SERVER_LIBRARY.md:1056 // Pass keychain for automatic secret redaction

high api-extractor/reports/mongodb-mcp-server.public.api.md:404 constructor(keychain: Keychain);

high api-extractor/reports/web.public.api.md:644 constructor(keychain: Keychain | undefined);

high packages/types/src/index.ts:3 export type * from "./keychain.js";

high src/common/config/parseUserConfig.ts:2 import { Keychain } from "../keychain.js";

info src/common/keychain.ts:5 * This class holds the secrets of a single server. Ideally, we might want to have a keychain

high src/common/logging/consoleLogger.ts:1 import type { Keychain } from "../keychain.js";

high src/common/logging/diskLogger.ts:3 import type { Keychain } from "../keychain.js";

high src/common/logging/loggerBase.ts:3 import type { Keychain } from "../keychain.js";

high src/common/logging/mcpLogger.ts:3 import type { Keychain } from "../keychain.js";

high src/common/session.ts:19 import type { Keychain } from "./keychain.js";

high src/index.ts:47 import { Keychain } from "./common/keychain.js";

+ 9 more

Shell / command execution · Executes shell / system commands

medium scripts/createMcpb.ts:9 import { spawn } from "node:child_process";

medium scripts/generate-release-notes.ts:6 import { execFileSync } from "child_process";

medium scripts/generate/generateArguments.ts:13 import { execSync } from "child_process";

medium scripts/generate/generateUI.ts:8 import { execSync } from "child_process";

medium src/setup/aiTool.ts:6 import { exec } from "child_process";

medium src/setup/installSkills.ts:2 import { spawn } from "node:child_process";

Outbound network · Makes outbound network requests

low src/common/atlas/apiClient.ts:152 const response = await fetch(url, {

Filesystem writes · Reads or writes the filesystem

low src/common/exportsManager.ts:117 await fs.rm(this.exportsDirectoryPath, { force: true, recursive: true });

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.