MCPVet
High
github · 125 files analyzed
Flux159/mcp-server-kubernetes
Sensitive access patterns — review carefully.
View source ↗Check your own MCP server
Free · no signup · instant shareable report.
Outbound network 3
Environment variables (config / keys) 33
Remote code execution 1
Shell / command execution 7
AI review
This MCP server provides full Kubernetes cluster management, including destructive operations like pod exec, apply, delete, and Helm chart management. It reads sensitive credentials (kubeconfig, tokens, CA data) from environment variables and passes them to subprocesses, which could lead to credential exfiltration if the agent is prompt-injected. The CI pipeline downloads and executes a remote script (get-helm-3) without integrity verification, introducing supply chain risk.
- high Remote code execution in CI pipeline — In .github/workflows/ci.yml:31, the workflow runs `curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash`, which downloads and executes a shell script from a remote URL without checksum or signature verification. This could be exploited if the upstream repository is compromised, injecting malicious code into the CI environment.
- high Credential exposure via environment variables to subprocesses — Multiple tool files (e.g., exec_in_pod.ts, helm-operations.ts, kubectl-apply.ts) pass `{ ...process.env, KUBECONFIG: process.env.KUBECONFIG }` to child processes. This forwards all environment variables, including sensitive credentials like K8S_TOKEN, KUBECONFIG_YAML, and K8S_CA_DATA, to spawned kubectl and helm processes. If an attacker can control the command arguments (e.g., via prompt injection leading to arbitrary kubectl exec), they could exfiltrate these credentials.
- high Deceptive tool descriptions allow arbitrary command execution — The `exec_in_pod` tool allows running arbitrary commands inside a pod, and `kubectl_generic` allows arbitrary kubectl commands. While these are documented, their descriptions may not clearly convey the full risk of remote code execution and credential access. Combined with the environment variable forwarding, this creates a high-risk attack surface for prompt injection.
- medium Unsafe kubectl flags allowed via environment variable — In src/security/kubectl-flags.ts:79, the server checks `process.env.ALLOW_KUBECTL_UNSAFE_FLAGS === 'true'` to permit potentially dangerous kubectl flags. If enabled, this could allow an attacker to bypass security controls (e.g., `--insecure-skip-tls-verify`) or execute arbitrary code via kubectl plugins.
- low Telemetry configuration reads sensitive environment variables — In src/config/telemetry-config.ts:31, the server reads `process.env.OTEL_TRACES_SAMPLER` and likely other OpenTelemetry environment variables. While not directly exfiltrating data, telemetry could inadvertently capture sensitive information if traces include command arguments or environment details.
Model: deepseek-chat
Static findings
Remote code execution · Downloads and executes remote code
info
.github/workflows/ci.yml:31
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Shell / command execution · Executes shell / system commands
medium
ADVANCED_README.md:5
If you have large clusters or see a `spawnSync ENOBFUS` error, you may need to specify the environment argument `SPAWN_MAX_BUFFER` (in bytes) when running the server. See [this issue](https://github.c
medium
src/security/kubectl-flags.ts:5
} from "child_process";
info
src/tools/helm-operations.ts:152
* Execute a command using child_process.execFileSync with proper error handling.
info
src/tools/node-management.ts:106
* Execute a command using child_process.execFileSync with proper error handling.
medium
src/tools/port_forward.ts:1
import { spawn } from "child_process";
info
tests/helm.test.ts:8
import { execSync } from "child_process";
info
tests/kubectl-context.unit.test.ts:4
import { execFileSync } from "child_process";
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/config/max-buffer.ts:2
return parseInt(process.env.SPAWN_MAX_BUFFER || "1048577", 10);
low
src/config/telemetry-config.ts:31
const samplerType = process.env.OTEL_TRACES_SAMPLER;
low
src/index.ts:84
const allowOnlyReadonlyTools = process.env.ALLOW_ONLY_READONLY_TOOLS === "true";
low
src/security/kubectl-flags.ts:79
return process.env.ALLOW_KUBECTL_UNSAFE_FLAGS === "true";
low
src/tools/exec_in_pod.ts:123
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/helm-operations.ts:164
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-apply.ts:104
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-context.ts:80
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-create.ts:431
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-delete.ts:162
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-describe.ts:78
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
low
src/tools/kubectl-generic.ts:137
env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
+ 21 more
Outbound network · Makes outbound network requests
info
tests/dns-rebinding.test.ts:9
/** Send a POST /mcp request with a custom Host header via http.request (fetch doesn't allow Host override). */
info
tests/sse.test.ts:153
const response = await fetch(readyUrl, {
info
tests/streaming_http.test.ts:57
const response = await fetch(readyUrl, {
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.