brave/brave-search-mcp-server

Minor capabilities, nothing alarming.

Outbound network 1

Environment variables (config / keys) 1

AI review

This is the official Brave Search MCP server published by Brave Software. It reads a BRAVE_API_KEY from the environment and makes outbound HTTPS requests to the Brave Search API, which is exactly what it advertises. No hidden instructions, prompt injection, or data exfiltration mechanisms were found.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

low src/BraveAPI/index.ts:117 const response = await fetch(urlWithParams, { headers });

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/config.ts:33 braveApiKey: process.env.BRAVE_API_KEY ?? '',

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.