MCPVet
Low
github · 29 files analyzed
elastic/mcp-server-elasticsearch
Minor capabilities, nothing alarming.
View source ↗Remote code execution 1
AI review
The extension itself is a legitimate Elasticsearch MCP server with no hidden instructions or data exfiltration mechanisms. The only finding is a remote code execution risk in the contributing documentation, which suggests running a curl-piped-to-shell command for local development setup.
- medium Remote code execution risk in contributing guide — docs/CONTRIBUTING.md line 38 contains `curl -fsSL https://elastic.co/start-local | sh`, which downloads and executes a script directly from the internet. While this is a common convenience pattern for Elastic's official start-local tool, it violates security best practices and could be exploited if the URL is compromised or redirected. Developers following these instructions may unknowingly execute malicious code.
Model: deepseek-chat
Static findings
Remote code execution · Downloads and executes remote code
info
docs/CONTRIBUTING.md:38
curl -fsSL https://elastic.co/start-local | sh
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.