MCPVet
Low
github · 29 files analyzed
elastic/mcp-server-elasticsearch
Minor capabilities, nothing alarming.
View source ↗Remote code execution 1
AI review
The extension itself is a legitimate Elasticsearch MCP server with no hidden instructions or data exfiltration mechanisms. The only finding is a documentation file that suggests running a curl-piped-to-shell command for local development, which is a common but mildly risky practice that could be exploited if the URL were compromised.
- low Remote code execution suggestion in contributing docs — docs/CONTRIBUTING.md:38 contains `curl -fsSL https://elastic.co/start-local | sh`, which pipes a remote script directly into a shell. While this is a common convenience pattern for Elastic's official start-local script, it violates security best practices and could be exploited if the URL or DNS is compromised. This is not part of the MCP server's runtime behavior, only a development setup suggestion.
Model: deepseek-chat
Static findings
Remote code execution · Downloads and executes remote code
info
docs/CONTRIBUTING.md:38
curl -fsSL https://elastic.co/start-local | sh
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.