MCPVet
← Scan another
High
github · 222 files analyzed

Azure/azure-mcp

Sensitive access patterns — review carefully.

View source ↗
Outbound network 1
Environment variables (config / keys) 5
Filesystem writes 1
Shell / command execution 2
Install-time scripts 1
Sensitive credential files 4

AI review

This is an official Microsoft Azure MCP server repository. The flagged items are standard engineering pipeline files (npmrc creation, build scripts, test configurations) and not part of the MCP server runtime. No prompt injection, hidden instructions, data exfiltration, or deceptive tool descriptions were found.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

low eng/common/docgeneration/templates/matthews/styles/main.js:86 var xmlHttp = new XMLHttpRequest();

Sensitive credential files · Reads sensitive credential files

info eng/common/pipelines/templates/archetype-typespec-emitter.yml:192 # Create authenticated .npmrc file for publishing to devops
high eng/common/pipelines/templates/jobs/npm-publish.yml:117 npmrcPath: $(ArtifactPath)/.npmrc
high eng/common/pipelines/templates/steps/create-authenticated-npmrc.yml:12 Write-Host "Creating .npmrc file ${{ parameters.npmrcPath }} for registry ${{ parameters.registryUrl }}"
high eng/pipelines/templates/steps/publish-to-dev-feed.yml:14 npmrcPath: ${{parameters.PathToArtifacts}}/.npmrc

Filesystem writes · Reads or writes the filesystem

low eng/common/pipelines/templates/steps/mashup-doc-index.yml:81 shutil.rmtree(os.path.join(SITE_INDEX, 'api'))

Shell / command execution · Executes shell / system commands

medium eng/npm/platform/index.js:5 const childProcess = require('child_process')
medium eng/npm/wrapper/index.js:40 const { execSync } = require('child_process')

Environment variables (config / keys) · Reads environment variables (config / API keys)

low eng/npm/platform/index.js:8 const isDebugMode = process.env.DEBUG && (
low eng/npm/wrapper/index.js:6 const isDebugMode = process.env.DEBUG && (
info eng/vscode/src/test/suite/allTests.ts:12 timeout: process.env.TEST_TIMEOUT ?? "10s"
info eng/vscode/src/test/suite/unitTests.ts:12 timeout: process.env.TEST_TIMEOUT ?? "10s",
low eng/vscode/webpack.config.js:18 const debugWebpack = !!process.env.DEBUG_WEBPACK;

Install-time scripts · Runs scripts on install (postinstall/preinstall)

medium eng/npm/wrapper/package.json:34 "postinstall": "node ./scripts/post-install-script.js"

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.