MCPVet
Low
npm · 45 files analyzed
@modelcontextprotocol/server-everything
Minor capabilities, nothing alarming.
View source ↗Outbound network 1
Environment variables (config / keys) 4
AI review
This is an official Anthropic MCP reference server designed to demonstrate protocol features. The static analysis shows environment variable access and network fetch capabilities, but these are used for legitimate configuration and demonstration purposes, not for exfiltration. No hidden instructions, deceptive tool descriptions, or data exfiltration mechanisms were found.
- low Environment variable access in tools — The get-env tool exposes all environment variables via JSON.stringify(process.env). While this is a demonstration tool, it could leak sensitive credentials if the server is used in production with secrets in environment variables. This is expected behavior for a reference server but should be noted for production use.
- low Network fetch capability — The gzip-file-as-resource tool can fetch URLs over the network. This is a legitimate demonstration feature but could be used to access internal network resources if the server is deployed in an environment with network access. No malicious intent is indicated.
Model: deepseek-chat
Static findings
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
dist/tools/get-env.js:23
text: JSON.stringify(process.env, null, 2),
low
dist/tools/gzip-file-as-resource.js:5
const GZIP_MAX_FETCH_SIZE = Number(process.env.GZIP_MAX_FETCH_SIZE ?? String(10 * 1024 * 1024));
low
dist/transports/sse.js:58
const PORT = process.env.PORT || 3001;
low
dist/transports/streamableHttp.js:172
const PORT = process.env.PORT || 3001;
Outbound network · Makes outbound network requests
low
dist/tools/gzip-file-as-resource.js:136
const response = await fetch(url, { signal: controller.signal });
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.