MCPVet
← Scan another
Low
github · 7 files analyzed

tavily-ai/tavily-mcp

Minor capabilities, nothing alarming.

View source ↗
Outbound network 3
Environment variables (config / keys) 1

AI review

This is a legitimate MCP server for Tavily's web search API. It reads the TAVILY_API_KEY from environment variables and uses axios to make HTTP requests to Tavily's API. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

info package-lock.json:13 "axios": "^1.6.7",
low package.json:51 "axios": "^1.6.7",
low src/index.ts:6 import axios from "axios";

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/index.ts:15 const API_KEY = process.env.TAVILY_API_KEY;

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.