MCPVet
Low
github · 64 files analyzed
exa-labs/exa-mcp-server
Minor capabilities, nothing alarming.
View source ↗Outbound network 2
Environment variables (config / keys) 16
AI review
This is a legitimate MCP server for Exa's search API. It reads the EXA_API_KEY environment variable to authenticate with Exa's service, which is expected behavior for an API client. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.
- low Environment variable usage is appropriate — The server reads EXA_API_KEY from environment variables to authenticate with Exa's API. This is standard and necessary for the extension's stated purpose of providing search capabilities.
- low No deceptive or hidden instructions — All tool descriptions and documentation accurately describe the extension's purpose as a search API client. No prompt injection, hidden system prompts, or instructions to exfiltrate data were detected.
- low Standard network dependencies — The axios dependency is used for making HTTP requests to Exa's API, which is expected for a search tool. No suspicious network behavior or unexpected endpoints were identified.
Model: deepseek-chat
Static findings
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
api/mcp.ts:1
process.env.AGNOST_LOG_LEVEL = 'error';
low
api/well-known-oauth-protected-resource.ts:8
const OAUTH_ISSUER = process.env.OAUTH_ISSUER || 'https://auth.exa.ai';
low
api/well-known-openai-apps-challenge.ts:22
const raw = process.env.OPENAI_APPS_CHALLENGE_TOKEN || '';
low
src/stdio.ts:1
process.env.AGNOST_LOG_LEVEL = process.env.AGNOST_LOG_LEVEL ?? "error";
low
src/tools/companyResearch.ts:35
const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low
src/tools/deepResearchCheck.ts:43
const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low
src/tools/deepResearchStart.ts:36
const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low
src/tools/deepSearch.ts:42
const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low
src/tools/exaCode.ts:38
const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low
src/tools/linkedInSearch.ts:32
const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low
src/tools/peopleSearch.ts:35
const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
low
src/tools/webFetch.ts:67
const exa = new Exa(config?.exaApiKey || process.env.EXA_API_KEY || '');
+ 4 more
Outbound network · Makes outbound network requests
info
package-lock.json:13
"axios": "^1.13.6",
low
package.json:53
"axios": "^1.13.6",
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.