MCPVet
← Scan another
Clean
github · 250 files analyzed

sooperset/mcp-atlassian

No risky behavior detected.

View source ↗
Outbound network 8
Environment variables (config / keys) 37
Filesystem writes 1
Sensitive credential files 1

AI review

This is a well-structured MCP server for Atlassian products with no hidden instructions, prompt injection, or deceptive tool descriptions. All environment variable access is legitimate for authentication and configuration purposes, and network calls are to expected Atlassian API endpoints.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

low scripts/oauth_authorize.py:313 args.client_id = os.getenv("ATLASSIAN_OAUTH_CLIENT_ID")
low src/mcp_atlassian/__init__.py:16 if os.getenv(
low src/mcp_atlassian/confluence/client.py:141 os.environ["NO_PROXY"] = self.config.no_proxy
low src/mcp_atlassian/confluence/config.py:92 url = os.getenv("CONFLUENCE_URL")
low src/mcp_atlassian/jira/client.py:154 os.environ["NO_PROXY"] = self.config.no_proxy
low src/mcp_atlassian/jira/config.py:54 metrics_str = os.getenv("JIRA_SLA_METRICS", "cycle_time,time_in_status")
low src/mcp_atlassian/jira/forms_api.py:48 self._cloud_id = os.getenv("ATLASSIAN_OAUTH_CLOUD_ID")
low src/mcp_atlassian/servers/client_storage.py:147 mode = os.getenv(CLIENT_STORAGE_MODE_ENV, "default").strip().lower()
low src/mcp_atlassian/servers/main.py:685 raw = os.getenv("ATLASSIAN_OAUTH_ALLOWED_CLIENT_REDIRECT_URIS")
low src/mcp_atlassian/utils/env.py:19 return os.getenv(env_var_name, default).lower() in ("true", "1", "yes")
low src/mcp_atlassian/utils/environment.py:38 client_id = os.getenv(client_id_envs[0]) or os.getenv(client_id_envs[1])
low src/mcp_atlassian/utils/oauth.py:493 oauth_enabled = os.getenv("ATLASSIAN_OAUTH_ENABLE", "").lower() in (

+ 25 more

Outbound network · Makes outbound network requests

low src/mcp_atlassian/confluence/pages.py:843 limit: Maximum number of pages to fetch (default: 500)
low src/mcp_atlassian/jira/users.py:244 response = requests.get(
low src/mcp_atlassian/servers/confluence.py:379 limit: Maximum pages to fetch (start with 100 for faster results).
low src/mcp_atlassian/utils/oauth.py:177 response = requests.post(token_endpoint, data=payload, timeout=HTTP_TIMEOUT)
info tests/e2e/cloud/conftest.py:123 resp = requests.get(
info tests/e2e/conftest.py:151 resp = requests.get(f"{url}/status", timeout=10)
info tests/unit/auth/test_authentication.py:39 with patch("requests.post") as mock_post:
info tests/unit/jira/test_users.py:421 # Mock requests.get

Filesystem writes · Reads or writes the filesystem

low src/mcp_atlassian/preprocessing/confluence.py:90 shutil.rmtree(temp_dir, ignore_errors=True)

Sensitive credential files · Reads sensitive credential files

info src/mcp_atlassian/utils/io.py:30 attacks (e.g., ``../../etc/passwd``).

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.