MCPVet
Low
Environment variables (config / keys) 4
Shell / command execution 1
AI review
This is an official Redis MCP server with no hidden instructions, prompt injection, or data exfiltration mechanisms. The environment variable access is standard for database configuration and logging, and the test file uses subprocess only for integration testing against a local Redis instance.
Model: deepseek-chat
Static findings
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/common/config.py:16
"host": os.getenv("REDIS_HOST", "127.0.0.1"),
low
src/common/logging_utils.py:12
name = os.getenv("MCP_REDIS_LOG_LEVEL")
info
tests/test_config.py:240
@patch.dict(os.environ, {}, clear=True)
info
tests/test_integration.py:40
env={"REDIS_HOST": "localhost", "REDIS_PORT": "6379", **dict(os.environ)},
Shell / command execution · Executes shell / system commands
info
tests/test_integration.py:31
return subprocess.Popen(
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.