MCPVet
Low
npm · 45 files analyzed
@modelcontextprotocol/server-everything
Minor capabilities, nothing alarming.
View source ↗Outbound network 1
Environment variables (config / keys) 4
AI review
This is an official Anthropic MCP example server designed to demonstrate protocol features. The static analysis shows environment variable access and network fetch capabilities, but these are used for legitimate configuration and demonstration purposes, not for exfiltration. No hidden instructions, deceptive tool descriptions, or credential stealing logic was found.
- low Environment variable exposure in get-env tool — The get-env.js tool returns all environment variables via JSON.stringify(process.env). While this is an intentional demonstration tool for the MCP protocol, it could expose sensitive credentials if the server is run in an environment with secrets. Developers should ensure this tool is not exposed in production or that sensitive env vars are filtered.
- low Network fetch capability in gzip-file-as-resource — The gzip-file-as-resource.js tool can fetch URLs over the network. This is a legitimate demonstration of MCP resource capabilities, but could be misused if an attacker controls the server configuration. The fetch size is limited by GZIP_MAX_FETCH_SIZE environment variable (default 10MB).
Model: deepseek-chat
Static findings
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
dist/tools/get-env.js:23
text: JSON.stringify(process.env, null, 2),
low
dist/tools/gzip-file-as-resource.js:5
const GZIP_MAX_FETCH_SIZE = Number(process.env.GZIP_MAX_FETCH_SIZE ?? String(10 * 1024 * 1024));
low
dist/transports/sse.js:58
const PORT = process.env.PORT || 3001;
low
dist/transports/streamableHttp.js:172
const PORT = process.env.PORT || 3001;
Outbound network · Makes outbound network requests
low
dist/tools/gzip-file-as-resource.js:136
const response = await fetch(url, { signal: controller.signal });
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.