MCPVet
Low
github · 38 files analyzed
mlava/scholar-sidekick-mcp
Minor capabilities, nothing alarming.
View source ↗Check your own MCP server
Free · no signup · instant shareable report.
Outbound network 2
Environment variables (config / keys) 3
Shell / command execution 1
AI review
No safety risks found. The extension performs scholarly identifier resolution and citation formatting via a public API, with no hidden instructions, data exfiltration, or deceptive tool descriptions. The use of environment variables for API keys is standard and appropriate.
- low Standard API key configuration — The extension reads RAPIDAPI_KEY from environment variables, which is a normal and expected pattern for API authentication. No attempt to exfiltrate or misuse credentials.
- low Legitimate network calls to Scholar Sidekick API — Network requests are made to the Scholar Sidekick API endpoint for resolving identifiers and formatting citations, matching the stated purpose of the extension.
- low No prompt injection or hidden instructions — The SKILL.md file contains clear, appropriate instructions for when and how to use the tools, with no attempts to manipulate the agent or exfiltrate data.
Model: deepseek-chat
Static findings
Shell / command execution · Executes shell / system commands
medium
scripts/pack.mjs:15
import { execFileSync } from "node:child_process";
Outbound network · Makes outbound network requests
low
src/client.ts:77
const res = await fetch(url, {
info
test/endpoint-contract.test.ts:58
const res = await fetch(OPENAPI_URL, { signal: AbortSignal.timeout(10_000) });
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/client.ts:28
const rapidApiKey = process.env.RAPIDAPI_KEY || undefined;
info
test/endpoint-contract.test.ts:55
it.skipIf(!process.env.CHECK_LIVE_CONTRACT)(
info
test/well-known-parity.test.ts:73
it.skipIf(!process.env.CHECK_LIVE_WELL_KNOWN)(
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.