pab1it0/prometheus-mcp-server

Dangerous patterns detected — do not install blindly.

Watch this server for changes A one-time scan can't catch what a future version adds. Continuous monitoring is coming — get on the list and we'll email you when it launches and watch pab1it0/prometheus-mcp-server for changes.

Check your own MCP server

Free · no signup · instant shareable report.

Outbound network 3

Environment variables (config / keys) 1

Remote code execution 2

AI review

This extension is a standard MCP server for querying Prometheus metrics. The static findings show typical development patterns (curl piped to sh for tool installation, environment variable usage, and test network calls) that do not represent actual safety risks in the deployed extension. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.

low Remote code execution in documentation — CONTRIBUTING.md and README.md contain `curl ... | sh` commands for installing the `uv` package manager. This is a common developer setup instruction, not part of the extension's runtime behavior. It poses no risk to users of the MCP server.
low Environment variable for tool prefix — The server reads `TOOL_PREFIX` from the environment. This is a legitimate configuration mechanism to customize tool names, not a secret exfiltration vector. No credentials or sensitive data are accessed.
low Network calls in tests — Test files contain `requests.get` calls to localhost and mocked network calls. These are standard testing patterns and do not affect the production extension's behavior.

Model: deepseek-chat

Static findings

Remote code execution · Downloads and executes remote code

critical CONTRIBUTING.md:79 curl -LsSf https://astral.sh/uv/install.sh | sh

info README.md:216 curl -LsSf https://astral.sh/uv/install.sh | sh

Outbound network · Makes outbound network requests

low src/prometheus_mcp_server/server.py:202 auth = None # Clear auth for requests.get if it's already in headers

info tests/test_docker_integration.py:202 response = requests.get('http://localhost:8080', timeout=5)

info tests/test_server.py:23 @patch("prometheus_mcp_server.server.requests.get")

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/prometheus_mcp_server/server.py:19 TOOL_PREFIX = os.environ.get("TOOL_PREFIX", "")

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.