@modelcontextprotocol/server-everything

Minor capabilities, nothing alarming.

Outbound network 1

Environment variables (config / keys) 4

AI review

This is an official Anthropic MCP reference server designed to demonstrate protocol features. The env_access findings are expected for a demo server that intentionally exposes environment variables as a tool, and the network fetch is for a gzip utility tool. No hidden instructions, data exfiltration, or deceptive behavior was found.

low Intentional environment variable exposure tool — The get-env.js tool returns all environment variables via JSON.stringify(process.env). This is by design for a demonstration server, but could leak sensitive credentials if used in production. Developers should not run this server with real secrets.
low Network fetch in gzip tool — The gzip-file-as-resource.js tool fetches from a URL provided by the user. This is expected functionality for a compression demo, but could be used to make arbitrary network requests. The tool's purpose is to demonstrate resource handling, not to exfiltrate data.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

low dist/tools/get-env.js:23 text: JSON.stringify(process.env, null, 2),

low dist/tools/gzip-file-as-resource.js:5 const GZIP_MAX_FETCH_SIZE = Number(process.env.GZIP_MAX_FETCH_SIZE ?? String(10 * 1024 * 1024));

low dist/transports/sse.js:58 const PORT = process.env.PORT || 3001;

low dist/transports/streamableHttp.js:172 const PORT = process.env.PORT || 3001;

Outbound network · Makes outbound network requests

low dist/tools/gzip-file-as-resource.js:136 const response = await fetch(url, { signal: controller.signal });

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.