MCPVet
Low
npm · 45 files analyzed
@modelcontextprotocol/server-everything
Minor capabilities, nothing alarming.
View source ↗Outbound network 1
Environment variables (config / keys) 4
AI review
This is an official Anthropic MCP reference server designed to demonstrate protocol features. The env access is intentional for demonstration purposes and does not exfiltrate data. No hidden instructions, deceptive tool descriptions, or data exfiltration mechanisms were found.
- low Environment variable exposure in get-env tool — The get-env.js tool returns all environment variables via JSON.stringify(process.env). While this is an intentional demonstration tool for the MCP protocol, it could expose sensitive credentials if the server is used in production. Developers should ensure this tool is not exposed in production environments or that sensitive env vars are filtered.
- low Network fetch capability in gzip-file-as-resource — The gzip-file-as-resource.js tool can fetch URLs via fetch(). This is an intentional demonstration of MCP resource capabilities, but could be used to access internal network resources if not properly restricted. The fetch size is limited by GZIP_MAX_FETCH_SIZE env var.
Model: deepseek-chat
Static findings
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
dist/tools/get-env.js:23
text: JSON.stringify(process.env, null, 2),
low
dist/tools/gzip-file-as-resource.js:5
const GZIP_MAX_FETCH_SIZE = Number(process.env.GZIP_MAX_FETCH_SIZE ?? String(10 * 1024 * 1024));
low
dist/transports/sse.js:58
const PORT = process.env.PORT || 3001;
low
dist/transports/streamableHttp.js:172
const PORT = process.env.PORT || 3001;
Outbound network · Makes outbound network requests
low
dist/tools/gzip-file-as-resource.js:136
const response = await fetch(url, { signal: controller.signal });
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.