Safer Fetch MCP Server

# Safer Fetch MCP Server A Model Context Protocol server that provides web content fetching capabilities **with built-in prompt injection safeguards**. This server enables LLMs to retrieve and process content from web pages, converting HTML to markdown for easier consumption, while protecting against malicious content that could manipulate the LLM. ## Acknowledgements This project is based on Anthropic's Fetch MCP server implementation and incorporates prompt injection safeguard code/patterns from Goose. ## 🚀 Quick Start ### Installing the Server Run the MCP server using [uvx](https://docs.astral.sh/uv/guides/tools/): ```bash uvx --refresh mcp-server-fetch-tom ``` The `--refresh` flag ensures you always get the latest version. ### Configuring in Your AI IDE Choose your IDE and add the configuration to enable the fetch MCP server: #### Claude Desktop Edit your Claude Desktop configuration file: - **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json` - **Windows**: `%APPDATA%\Claude\claude_desktop_config.json` - **Linux**: `~/.config/Claude/claude_desktop_config.json` ```json { "mcpServers": { "fetch": { "command": "uvx", "args": ["--refresh", "mcp-server-fetch-tom"] } } } ``` #### VS Code (Cline / Roo Cline) Add to your VS Code settings (`.vscode/mcp.json` in workspace or User Settings JSON): ```json { "mcp": { "servers": { "fetch": { "command": "uvx", "args": ["--refresh", "mcp-server-fetch-tom"] } } } } ``` Or use the one-click install buttons: [](https://insiders.vscode.dev/redirect/mcp/install?name=fetch&config=%7B%22command%22%3A%22uvx%22%2C%22args%22%3A%5B%22--refresh%22%2C%22mcp-server-fetch-tom%22%5D%7D) [](https://insiders.vscode.dev/redirect/mcp/install?name=fetch&config=%7B%22command%22%3A%22uvx%22%2C%22args%22%3A%5B%22--refresh%22%2C%22mcp-server-fetch-tom%22%5D%7D&quality=insiders) #### Cursor Add to Cursor settings: 1. Open Cursor Settings (`Cmd/Ctrl + ,`) 2. Search for "MCP" 3. Add server configuration, or edit `.cursor/mcp.json`: ```json { "mcpServers": { "fetch": { "command": "uvx", "args": ["--refresh", "mcp-server-fetch-tom"] } } } ``` #### Continue (VS Code Extension) Edit `~/.continue/config.json`: ```json { "mcpServers": { "fetch": { "command": "uvx", "args": ["--refresh", "mcp-server-fetch-tom"] } } } ``` #### Goose AI Edit `~/.config/goose/profiles.yaml`: ```yaml default: provider: openai processor: gpt-4 accelerator: gpt-4o-mini moderator: passive toolkits: - developer - mcp mcp_servers: fetch: command: uvx args: - --refresh - mcp-server-fetch-tom ``` ## ⚠️ Disclaimer **This software is provided "as is" without warranty of any kind.** While this server implements prompt injection detection and mitigation measures, **no security solution is 100% effective**. The safeguards implemented are designed to reduce risk but cannot guarantee complete protection against all prompt injection attacks. Users should: - Exercise caution when fetching content from untrusted sources - Review fetched content before acting on it in sensitive contexts - Understand that determined attackers may find ways to bypass detection - Not rely solely on these safeguards for security-critical applications The maintainers are not responsible for any damages or security incidents resulting from the use of this software. ## Security Features This server includes prompt injection safeguards to protect LLMs from malicious web content: ### 1. Content Boundary Wrapping All fetched content is wrapped in security boundary tags with a **random boundary ID** (to prevent escape attacks). The wrapper includes: - Clear instructions that content should be treated as **DATA ONLY**, not as instructions - Critical security rules for the LLM to follow - Source URL attribution ### 2. Prompt Injection Pattern Detection Content is scanned for 20+ suspicious patterns including: - **Instruction overrides**: "ignore previous instructions", "disregard prior prompts" - **Role manipulation**: "you are now", "act as", "pretend to be" - **System prompt attacks**: "new system prompt", "override instructions" - **Jailbreak attempts**: "developer mode", "DAN mode", "bypass restrictions" - **Output manipulation**: "do not mention", "keep this secret" - **Encoded instructions**: Base64 patterns, "decode and execute" When suspicious patterns are detected: - **NO DATA is returned** - the fetched content is completely blocked - Only a warning message is returned indicating the number of patterns detected - The source URL is provided so users can manually review if they believe it's a false positive > [!CAUTION] > This server can access local/internal IP addresses and may represent a security risk. Exercise caution when using this MCP server to ensure this does not expose any sensitive data. The fetch tool will truncate the response, but by using the `start_index` argument, you can specify where to start the content extraction. This lets models read a webpage in chunks, until they find the information they need. ### Available Tools - `fetch` - Fetches a URL from the internet and extracts its contents as markdown. - `url` (string, required): URL to fetch - `max_length` (integer, optional): Maximum number of characters to return (default: 5000) - `start_index` (integer, optional): Start content from this character index (default: 0) - `raw` (boolean, optional): Get raw content without markdown conversion (default: false) When the output type is 'md' and the fetched resource is a PDF, it will be automatically converted to plain text. ### Prompts - **fetch** - Fetch a URL and extract its contents as markdown - Arguments: - `url` (string, required): URL to fetch ## Installation ### Using uv (recommended) When using [`uv`](https://docs.astral.sh/uv/) no specific installation is needed. We will use [`uvx`](https://docs.astral.sh/uv/guides/tools/) to directly run *mcp-server-fetch-tom*: ```bash uvx --refresh mcp-server-fetch-tom ``` ## Advanced Configuration ### Alternative Installation Methods The examples above use `uvx` for simplicity. You can also use: <details> <summary>Docker</summary> ```json { "mcpServers": { "fetch": { "command": "docker", "args": ["run", "-i", "--rm", "mcp/fetch"] } } } ``` </details> <details> <summary>pip installation</summary> First install: `pip install mcp-server-fetch-tom` Then configure: ```json { "mcpServers": { "fetch": { "command": "mcp-server-fetch-tom" } } } ``` </details> ### Customization - User-agent By default, depending on if the request came from the model (via a tool), or was user initiated (via a prompt), the server will use either the user-agent ``` ModelContextProtocol/1.0 (Autonomous; +https://github.com/modelcontextprotocol/servers) ``` or ``` ModelContextProtocol/1.0 (User-Specified; +https://github.com/modelcontextprotocol/servers) ``` This can be customized by adding the argument `--user-agent=YourUserAgent` to the `args` list in the configuration. ### Customization - Proxy The server can be configured to use a proxy by using the `--proxy-url` argument. ## Windows Configuration If you're experiencing timeout issues on Windows, you may need to set the `PYTHONIOENCODING` environment variable to ensure proper character encoding: <details> <summary>Windows configuration (uvx)</summary> ```json { "mcpServers": { "fetch": { "command": "uvx", "args": ["--refresh", "mcp-server-fetch-tom"], "env": { "PYTHONIOENCODING": "utf-8" } } } } ``` </details> <details> <summary>Windows configuration (pip)</summary> ```json { "mcpServers": { "fetch": { "command": "mcp-server-fetch-tom", "env": { "PYTHONIOENCODING": "utf-8" } } } } ``` </details> This addresses character encoding issues that can cause the server to timeout on Windows systems. ## Debugging You can use the MCP inspector to debug the server. For uvx installations: ``` npx @modelcontextprotocol/inspector uvx mcp-server-fetch-tom ``` Or if you've installed the package in a specific directory or are developing on it: ``` cd path/to/fetch_mcp npx @modelcontextprotocol/inspector uv run mcp-server-fetch-tom ``` ## Building and Publishing For maintainers: See the [Publishing Guide](docs/PUBLISHING.md) for detailed instructions on building and publishing to PyPI. **Quick Reference:** ```bash # Build the package uvx --from build pyproject-build --installer uv # Check the build uvx twine check dist/* # Upload to PyPI uvx twine upload dist/* ``` Or use the Makefile: ```bash make build # Build package make check # Verify package make upload # Upload to PyPI ``` For more details, see: - [Full Publishing Guide](docs/PUBLISHING.md) - Comprehensive documentation - [Quick Start Guide](docs/QUICKSTART_PUBLISHING.md) - TL;DR version - [Makefile](Makefile) - Automated commands ## Contributing We encourage contributions to help expand and improve mcp-server-fetch. Whether you want to add new tools, enhance existing functionality, or improve documentation, your input is valuable. For examples of other MCP servers and implementation patterns, see: https://github.com/modelcontextprotocol/servers Pull requests are welcome! Feel free to contribute new ideas, bug fixes, or enhancements to make mcp-server-fetch even more powerful and useful. ## Security Considerations While this server implements prompt injection safeguards, security is a shared responsibility: 1. **Defense in depth**: These safeguards are one layer of protection; combine with other security measures 2. **Regular updates**: Keep the server updated to benefit from new pattern detection rules 3. **Report vulnerabilities**: If you discover a bypass or vulnerability, please report it responsibly 4. **False positives**: The pattern detection may flag legitimate content; review warnings in context ## License mcp-server-fetch is licensed under the MIT License. This means you are free to use, modify, and distribute the software, subject to the terms and conditions of the MIT License. For more details, please see the LICENSE file in the project repository.