hashicorp/terraform-mcp-server

No risky behavior detected.

Environment variables (config / keys) 1

Sensitive credential files 1

AI review

No prompt injection, hidden instructions, or deceptive tool descriptions found. The extension is a legitimate HashiCorp-maintained MCP server for Terraform integration with standard CI/CD and security review templates.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

info .github/workflows/changelog.yml:96 const changelogChangesPresent = process.env.CHANGELOG_CHANGES === 'true';

Sensitive credential files · Reads sensitive credential files

info pkg/client/tls_test.go:36 keyPEM = `-----BEGIN PRIVATE KEY-----

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.