grafana/mcp-grafana

Sensitive access patterns — review carefully.

View source ↗

Outbound network 1

Environment variables (config / keys) 5

Shell / command execution 1

Sensitive credential files 1

AI review

No safety risks found. The extension is a legitimate Grafana MCP server with standard build, test, and release automation. The static findings are benign: command execution and network access are expected for a build script, environment variable access is for configuration, and the path traversal in a test file is a unit test for error handling.

Model: deepseek-chat

Static findings

Shell / command execution · Executes shell / system commands

medium .claude-plugin/install-binary.mjs:3 import { spawn } from 'node:child_process';

Outbound network · Makes outbound network requests

low .claude-plugin/install-binary.mjs:83 const response = await fetch(url);

Environment variables (config / keys) · Reads environment variables (config / API keys)

low .claude-plugin/install-binary.mjs:11 const PLUGIN_ROOT = process.env.CLAUDE_PLUGIN_ROOT;

info tests/admin_test.py:27 grafana_url = os.environ.get("GRAFANA_URL", DEFAULT_GRAFANA_URL)

info tests/conftest.py:42 return os.environ.get("MCP_TRANSPORT", DEFAULT_MCP_TRANSPORT)

info tests/disable_write_test.py:11 env = {"GRAFANA_URL": os.environ.get("GRAFANA_URL", "http://localhost:3000")}

info tests/utils.py:41 mcp_url = os.environ.get("MCP_GRAFANA_URL", "http://localhost:8000")

Sensitive credential files · Reads sensitive credential files

high k8s_client_test.go:319 _, err := client.Get(context.Background(), testDashboardDesc, "default", "../../etc/passwd")

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.