MCPVet
Low
npm · 45 files analyzed
@modelcontextprotocol/server-everything
Minor capabilities, nothing alarming.
View source ↗Outbound network 1
Environment variables (config / keys) 4
AI review
This is an official Anthropic MCP example server designed to demonstrate protocol features. The env_access findings are expected for a demonstration server that needs to show environment variable functionality, and the network fetch is for a gzip file download feature. No deceptive or malicious patterns were found.
- low Environment variable exposure in get-env tool — The get-env.js tool returns all environment variables via JSON.stringify(process.env). This is intentional for a demonstration server that showcases MCP capabilities, but could expose sensitive credentials if used in production. This is a design choice for the example server, not a hidden malicious feature.
- low Network fetch capability in gzip-file-as-resource — The gzip-file-as-resource.js tool fetches URLs to demonstrate resource handling. This is part of the server's stated purpose to exercise all MCP protocol features. The fetch size is configurable via environment variable with a 10MB default limit.
Model: deepseek-chat
Static findings
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
dist/tools/get-env.js:23
text: JSON.stringify(process.env, null, 2),
low
dist/tools/gzip-file-as-resource.js:5
const GZIP_MAX_FETCH_SIZE = Number(process.env.GZIP_MAX_FETCH_SIZE ?? String(10 * 1024 * 1024));
low
dist/transports/sse.js:58
const PORT = process.env.PORT || 3001;
low
dist/transports/streamableHttp.js:172
const PORT = process.env.PORT || 3001;
Outbound network · Makes outbound network requests
low
dist/tools/gzip-file-as-resource.js:136
const response = await fetch(url, { signal: controller.signal });
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.