← Scan another

High

github · 250 files analyzed

mongodb-js/mongodb-mcp-server

Sensitive access patterns — review carefully.

View source ↗

Outbound network 1

Environment variables (config / keys) 10

Filesystem writes 1

Shell / command execution 6

Sensitive credential files 21

AI review

This is a legitimate MongoDB MCP server implementation with no hidden instructions, prompt injection, or deceptive tool descriptions. The code references to keychain, environment variables, and network calls are all standard for a database connection tool that needs to handle credentials and communicate with MongoDB Atlas APIs.

low Legitimate credential handling for database connections — The keychain references and environment variable access (MONGODB_PRODUCTION_URI, MDB_MCP_API_BASE_URL) are expected functionality for a MongoDB MCP server that needs to connect to databases and Atlas APIs. These are not hidden exfiltration attempts but standard credential management for the tool's stated purpose.
low Standard development scripts with no malicious intent — Scripts using child_process (spawn, execSync, execFileSync) and accessing environment variables (GITHUB_*, GROVE_API_KEY) are part of the project's build, testing, and release automation pipeline, not hidden commands or data exfiltration.
low No prompt injection or hidden instructions found — The agent instructions in .github/agents/agentic-workflows.agent.md and .github/copilot-instructions.md are legitimate documentation for the project's development workflow and do not contain any hidden instructions attempting to manipulate the agent or exfiltrate data.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

low MCP_SERVER_LIBRARY.md:285 production: process.env.MONGODB_PRODUCTION_URI,

low scripts/accuracy/generateTestSummary.ts:246 const { GITHUB_SERVER_URL, GITHUB_REPOSITORY, GITHUB_RUN_ID } = process.env;

low scripts/accuracy/updateAccuracyRunStatus.ts:5 const envAccuracyRunId = process.env.MDB_ACCURACY_RUN_ID;

info scripts/cleanupAtlasTestLeftovers.test.ts:146 baseUrl: process.env.MDB_MCP_API_BASE_URL || "https://cloud-dev.mongodb.com",

low scripts/generate-release-notes.ts:26 const GROVE_API_KEY = process.env["GROVE_API_KEY"];

low scripts/generate/generateArguments.ts:239 serverJson.version = process.env.VERSION || version;

low src/common/config/configUtils.ts:44 ? path.join(process.env.LOCALAPPDATA || process.env.APPDATA || os.homedir(), "mongodb")

low src/helpers/container.ts:15 if (process.env.container) {

low src/setup/aiTool.ts:53 return process.env.APPDATA || path.join(os.homedir(), "AppData", "Roaming");

low src/telemetry/telemetry.ts:240 if (typeof process === "undefined" || !process.env) {

Sensitive credential files · Reads sensitive credential files

info MCP_SERVER_LIBRARY.md:1056 // Pass keychain for automatic secret redaction

high api-extractor/reports/mongodb-mcp-server.public.api.md:404 constructor(keychain: Keychain);

high api-extractor/reports/web.public.api.md:644 constructor(keychain: Keychain | undefined);

high packages/types/src/index.ts:3 export type * from "./keychain.js";

high src/common/config/parseUserConfig.ts:2 import { Keychain } from "../keychain.js";

info src/common/keychain.ts:5 * This class holds the secrets of a single server. Ideally, we might want to have a keychain

high src/common/logging/consoleLogger.ts:1 import type { Keychain } from "../keychain.js";

high src/common/logging/diskLogger.ts:3 import type { Keychain } from "../keychain.js";

high src/common/logging/loggerBase.ts:3 import type { Keychain } from "../keychain.js";

high src/common/logging/mcpLogger.ts:3 import type { Keychain } from "../keychain.js";

high src/common/session.ts:19 import type { Keychain } from "./keychain.js";

high src/index.ts:47 import { Keychain } from "./common/keychain.js";

+ 9 more

Shell / command execution · Executes shell / system commands

medium scripts/createMcpb.ts:9 import { spawn } from "node:child_process";

medium scripts/generate-release-notes.ts:6 import { execFileSync } from "child_process";

medium scripts/generate/generateArguments.ts:13 import { execSync } from "child_process";

medium scripts/generate/generateUI.ts:8 import { execSync } from "child_process";

medium src/setup/aiTool.ts:6 import { exec } from "child_process";

medium src/setup/installSkills.ts:2 import { spawn } from "node:child_process";

Outbound network · Makes outbound network requests

low src/common/atlas/apiClient.ts:152 const response = await fetch(url, {

Filesystem writes · Reads or writes the filesystem

low src/common/exportsManager.ts:117 await fs.rm(this.exportsDirectoryPath, { force: true, recursive: true });

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.