pab1it0/prometheus-mcp-server

No risky behavior detected.

View source ↗

Check your own MCP server

Free · no signup · instant shareable report.

Outbound network 3

Environment variables (config / keys) 1

Remote code execution 2

AI review

This extension is a standard MCP server for querying Prometheus metrics. The static findings show typical development patterns (curl piped to sh for tool installation, environment variable usage, and test network calls) that do not represent actual runtime risk. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.

low Remote code execution in install instructions — CONTRIBUTING.md and README.md contain `curl ... | sh` commands for installing the `uv` tool. This is a common developer setup pattern, not a runtime attack. The extension itself does not execute these commands.
low Environment variable for tool prefix — The server reads `TOOL_PREFIX` from the environment. This is a legitimate configuration mechanism and does not expose secrets or enable injection.
low Network calls in tests — Test files make HTTP requests to localhost and mock `requests.get`. These are standard testing patterns and pose no production risk.

Model: deepseek-chat

Static findings

Remote code execution · Downloads and executes remote code

info CONTRIBUTING.md:79 curl -LsSf https://astral.sh/uv/install.sh | sh

info README.md:216 curl -LsSf https://astral.sh/uv/install.sh | sh

Outbound network · Makes outbound network requests

low src/prometheus_mcp_server/server.py:202 auth = None # Clear auth for requests.get if it's already in headers

info tests/test_docker_integration.py:202 response = requests.get('http://localhost:8080', timeout=5)

info tests/test_server.py:23 @patch("prometheus_mcp_server.server.requests.get")

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/prometheus_mcp_server/server.py:19 TOOL_PREFIX = os.environ.get("TOOL_PREFIX", "")

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.