MCPVet
Clean
Environment variables (config / keys) 3
Remote code execution 1
AI review
This is the official ElevenLabs MCP server. It requires an API key via environment variable, which is standard for API-based tools. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.
- low Standard API key configuration — The extension reads ELEVENLABS_API_KEY from environment variables, which is expected and necessary for the extension's stated purpose of accessing ElevenLabs APIs. No code exfiltrates this key.
- low Remote code installation suggestion — README.md suggests installing 'uv' via curl pipe to shell. This is a common installation pattern for Python tooling and not part of the extension's runtime code. Users should verify the source before executing such commands.
- low No prompt injection or hidden instructions — The ELEVENLABS.md persona instructions are benign and describe legitimate assistant behavior for audio processing tasks. No instructions attempt to manipulate the agent into harmful actions or data exfiltration.
Model: deepseek-chat
Static findings
Remote code execution · Downloads and executes remote code
info
README.md:24
2. Install `uv` (Python package manager), install with `curl -LsSf https://astral.sh/uv/install.sh | sh` or see the `uv` [repo](https://github.com/astral-sh/uv) for additional install methods.
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
elevenlabs_mcp/__main__.py:19
os.environ.get("XDG_CONFIG_HOME", Path.home() / ".config"), "Claude"
low
elevenlabs_mcp/server.py:54
api_key = os.getenv("ELEVENLABS_API_KEY")
low
elevenlabs_mcp/utils.py:144
if not os.path.isabs(file_path) and not os.environ.get("ELEVENLABS_MCP_BASE_PATH"):
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.