grafana/mcp-grafana

Powerful capabilities — review before trusting.

View source ↗

Outbound network 1

Environment variables (config / keys) 5

Shell / command execution 1

Sensitive credential files 1

AI review

No malicious or deceptive code found. The flagged items are standard development patterns (child process spawn, network fetch, env access) used legitimately for installation and testing. The path traversal in a test file is a unit test, not an exploit.

Model: deepseek-chat

Static findings

Shell / command execution · Executes shell / system commands

medium .claude-plugin/install-binary.mjs:3 import { spawn } from 'node:child_process';

Outbound network · Makes outbound network requests

low .claude-plugin/install-binary.mjs:83 const response = await fetch(url);

Environment variables (config / keys) · Reads environment variables (config / API keys)

low .claude-plugin/install-binary.mjs:11 const PLUGIN_ROOT = process.env.CLAUDE_PLUGIN_ROOT;

info tests/admin_test.py:27 grafana_url = os.environ.get("GRAFANA_URL", DEFAULT_GRAFANA_URL)

info tests/conftest.py:42 return os.environ.get("MCP_TRANSPORT", DEFAULT_MCP_TRANSPORT)

info tests/disable_write_test.py:11 env = {"GRAFANA_URL": os.environ.get("GRAFANA_URL", "http://localhost:3000")}

info tests/utils.py:41 mcp_url = os.environ.get("MCP_GRAFANA_URL", "http://localhost:8000")

Sensitive credential files · Reads sensitive credential files

info k8s_client_test.go:319 _, err := client.Get(context.Background(), testDashboardDesc, "default", "../../etc/passwd")

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.