MCPVet
← Scan another
Low
github · 250 files analyzed

github/github-mcp-server

Minor capabilities, nothing alarming.

View source ↗
Outbound network 4
Environment variables (config / keys) 1

AI review

No prompt injection, hidden instructions, data exfiltration, or deceptive tool descriptions found. The repository is a legitimate open-source MCP server for GitHub integration with standard development files.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

info docs/feature-flags.md:80 - `method`: The type of data to fetch (string, required)
info docs/insiders-features.md:74 - `method`: The type of data to fetch (string, required)
low pkg/github/repositories_test.go:112 name: "successful binary file content fetch (PNG)",
low pkg/github/repository_resource_test.go:97 name: "successful text content fetch (HEAD)",

Environment variables (config / keys) · Reads environment variables (config / API keys)

low ui/scripts/build.mjs:12 process.env.APP = app;

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.