hashicorp/terraform-mcp-server

No risky behavior detected.

Environment variables (config / keys) 1

Sensitive credential files 1

AI review

No malicious or deceptive code found. The extension is a legitimate HashiCorp-maintained MCP server for Terraform integration. The static findings are either test fixtures or CI workflow code that do not pose a real safety risk.

low Test file contains private key fixture — pkg/client/tls_test.go:36 contains a hardcoded PEM private key used only for unit testing TLS client configuration. This is a test fixture, not a real credential, and is not used in production code or exposed to the agent.
low CI workflow reads environment variable — .github/workflows/changelog.yml:96 reads CHANGELOG_CHANGES environment variable to control CI logic. This is standard CI behavior and does not exfiltrate data or manipulate the agent.

Model: deepseek-chat

Static findings

Environment variables (config / keys) · Reads environment variables (config / API keys)

info .github/workflows/changelog.yml:96 const changelogChangesPresent = process.env.CHANGELOG_CHANGES === 'true';

Sensitive credential files · Reads sensitive credential files

info pkg/client/tls_test.go:36 keyPEM = `-----BEGIN PRIVATE KEY-----

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.