MCPVet
Low
Outbound network 3
Environment variables (config / keys) 1
AI review
No hidden instructions, prompt injection, or data exfiltration mechanisms found. The extension uses a standard API key via environment variable and makes legitimate HTTP calls to the Tavily API for web search and extraction.
- low Standard API key usage — The API key is read from process.env.TAVILY_API_KEY and used to authenticate with the Tavily service. This is expected behavior for a search API integration and does not exfiltrate data.
- low Legitimate network dependency — Axios is used for HTTP requests to the Tavily API, which is the stated purpose of the extension. No suspicious endpoints or data routing detected.
Model: deepseek-chat
Static findings
Outbound network · Makes outbound network requests
info
package-lock.json:13
"axios": "^1.6.7",
low
package.json:51
"axios": "^1.6.7",
low
src/index.ts:6
import axios from "axios";
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
src/index.ts:15
const API_KEY = process.env.TAVILY_API_KEY;
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.