MCPVet
← Scan another
Medium
github · 250 files analyzed

getsentry/sentry-mcp

Powerful capabilities — review before trusting.

View source ↗
Outbound network 10
Environment variables (config / keys) 4
Shell / command execution 2
Sensitive credential files 1

AI review

No prompt injection, hidden instructions, data exfiltration, or deceptive tool descriptions found. The codebase is a legitimate Sentry MCP server implementation with standard development patterns and documentation.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

low TELEMETRY.md:89 fields=timestamp,metric,http.request.method,http.route,http.response.status_code,app.response.status_class,app.route.group,app.client.family,app.server.mode.agent,app.server.mode.experimental,value
info docs/contributing/search-events-api-patterns.md:123 - Sort fields for aggregate results must stay raw, for example `-p95(value,http.request.duration,distribution,millisecond)`
info docs/operations/monitoring.md:99 async fetch(request, env, ctx): Promise<Response> {
info docs/releases/cloudflare.md:75 async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
info docs/specs/search-events.md:95 - **Tracemetrics dataset**: Focus on `metric.name`, `metric.type`, `metric.unit`, `value`, and metric-aware aggregates like `p95(value,http.request.duration,distribution,millisecond)`
low packages/mcp-cloudflare/src/server/index.ts:262 const response = await oAuthProvider.fetch(request, env, ctx);
info packages/mcp-cloudflare/src/server/lib/client-family.test.ts:23 ["axios/1.15.0", "other"],
low packages/mcp-cloudflare/src/server/metrics.ts:116 "http.request.method": request.method,
info packages/mcp-cloudflare/src/server/oauth/authorize.test.ts:123 const response = await app.fetch(request, testEnv as Env);
low packages/mcp-cloudflare/src/server/oauth/helpers.ts:343 const resp = await fetch(upstream_url, {

Environment variables (config / keys) · Reads environment variables (config / API keys)

info docs/operations/monitoring.md:115 dsn: process.env.SENTRY_DSN,
low packages/agent-cli-test/src/auth.ts:31 ...process.env,
low packages/agent-cli-test/src/index.ts:95 const defaultCwd = process.env.INIT_CWD ?? process.cwd();
low packages/agent-cli-test/src/process.ts:30 env: process.env,

Shell / command execution · Executes shell / system commands

medium packages/agent-cli-test/src/auth.ts:1 import { spawn } from "node:child_process";
medium packages/agent-cli-test/src/process.ts:1 import { spawn } from "node:child_process";

Sensitive credential files · Reads sensitive credential files

info packages/mcp-cloudflare/src/server/lib/html-utils.test.ts:24 ["file:///etc/passwd", "file: scheme"],

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.