pab1it0/prometheus-mcp-server

No risky behavior detected.

View source ↗

Check your own MCP server

Free · no signup · instant shareable report.

Outbound network 3

Environment variables (config / keys) 1

Remote code execution 2

AI review

This is a legitimate Prometheus MCP server extension with no hidden instructions, prompt injection, or data exfiltration mechanisms. The static findings are standard development practices (curl piped to sh for tool installation, environment variable usage, and localhost test requests) that pose no real safety risk in this context.

low Remote code execution via curl pipe to sh in documentation — CONTRIBUTING.md and README.md contain `curl -LsSf https://astral.sh/uv/install.sh | sh` which is a common pattern for installing the uv package manager. This is not hidden or deceptive; it's standard developer documentation for setting up the development environment. No risk to end users of the MCP server.
low Environment variable access for TOOL_PREFIX — The server reads `TOOL_PREFIX` from environment variables to customize tool names. This is a legitimate configuration mechanism, not an attempt to exfiltrate secrets. No credentials or sensitive data are being read or transmitted.
low Network requests in tests and server code — Tests make requests to localhost:8080 and the server clears auth headers for requests.get. These are standard patterns for testing and HTTP client usage in a Prometheus integration. No evidence of data exfiltration to external servers.

Model: deepseek-chat

Static findings

Remote code execution · Downloads and executes remote code

info CONTRIBUTING.md:79 curl -LsSf https://astral.sh/uv/install.sh | sh

info README.md:216 curl -LsSf https://astral.sh/uv/install.sh | sh

Outbound network · Makes outbound network requests

low src/prometheus_mcp_server/server.py:202 auth = None # Clear auth for requests.get if it's already in headers

info tests/test_docker_integration.py:202 response = requests.get('http://localhost:8080', timeout=5)

info tests/test_server.py:23 @patch("prometheus_mcp_server.server.requests.get")

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/prometheus_mcp_server/server.py:19 TOOL_PREFIX = os.environ.get("TOOL_PREFIX", "")

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.