📂 MCP Data Fetch Server
MCP Data Fetch Server is secure, sandboxed server that fetches web content and extracts data via the Model Control Protocol (MCP). without executing JavaScript.
Table of Contents
🎯 Features
Secure web page fetching – strips scripts, iframes and cookie banners; no JavaScript execution.
Rich data extraction – retrieve links, metadata, Open Graph/Twitter cards, and downloadable resources.
Safe file downloads – size limits, filename sanitisation, and path‑traversal protection within a sandboxed cache.
Built‑in caching – optional cache directory reduces repeated network calls.
Prompt‑injection detection – validates URLs and fetched content for malicious instructions.
📦 Installation & Quick Start
📌 Three‑step overview
1️⃣ The script creates a virtual environment and installs dependencies.
2️⃣ It prepares a cache folder (.fetch_cache) inside the project root.
3️⃣main.pylaunches the MCP server, listening on stdin/stdout for JSON‑RPC requests.
⚙️ Command‑Line Options
Option | Description |
,
| Path to the sandboxed working directory where all file operations are confined (default:
). |
,
| Name of the cache subdirectory relative to the working directory (default:
). |
,
| Show help message and exit. |
🤝 Integration with LM Studio (or any MCP‑compatible client)
Add an entry to your mcp.json configuration so that LM Studio can launch the server automatically.
📌 Tip: Ensure
run.shis executable (chmod +x …) and that the virtual environment can install the required Python packages on first launch.
📡 MCP API Overview
All communication follows JSON‑RPC 2.0 over stdin/stdout.
initialize
Request:
Response contains the protocol version, server capabilities and basic metadata (e.g., name = mcp-datafetch-server, version = 2.1.0).
tools/list
Request:
Response: { "tools": [ …tool definitions… ] }. Each definition includes name, description and an input schema (JSON Schema).
tools/call
Generic request shape (replace <tool_name> and arguments as needed):
The server validates the request against the tool’s schema, executes the operation, and returns a ToolResult containing one or more content blocks.
🛠️ Available Tools
fetch_webpage
Securely fetches a web page and returns clean content in the requested format.
Name | Type | Required | Description |
| string | ✅ (no default) | URL to fetch ( http/https only ). |
| string | ❌ (
) | Output format – one of
,
, or
. |
| boolean | ❌ (
) | Whether to append an extracted links list. |
| boolean | ❌ (
) | Whether to list image URLs in the output. |
| boolean | ❌ (
) | Attempt to strip cookie banners & pop‑ups. |
Example
Note: The tool sanitises HTML, removes scripts/iframes, and checks for prompt‑injection patterns before returning content.
extract_links
Extracts and categorises all hyperlinks from a page.
Name | Type | Required | Description |
| string | ✅ (no default) | URL of the page to analyse. |
| string | ❌ (
) | Return only
,
,
, or
. |
Example
Note: Links are classified as internal (same domain) or external; resource links (images, PDFs…) can be filtered with resources.
download_file
Safely downloads a remote file into the sandboxed cache directory.
Name | Type | Required | Description |
| string | ✅ (no default) | Direct URL to the file. |
| string | ❌ (auto‑generated) | Desired filename; will be sanitised and forced into the cache directory. |
Example
Note: The server enforces a 100 MB download limit, validates the URL against blocked domains/extensions, and returns the relative path inside the working directory for cross‑agent access.
get_page_metadata
Extracts structured metadata (title, description, Open Graph, Twitter Cards) from a web page.
Name | Type | Required | Description |
| string | ✅ (no default) | URL of the page to inspect. |
Example
Note: The tool returns a formatted text block with title, description, keywords, Open Graph properties and Twitter Card fields.
check_url
Performs a lightweight HEAD request to report status code, headers and size without downloading the body.
Name | Type | Required | Description |
| string | ✅ (no default) | URL to probe. |
Example
Note: The response includes the final URL after redirects, a concise status summary (✅ OK or ⚠️ Error), and selected HTTP headers such as Content‑Type and Content‑Length.
🔐 Security Features
Path‑traversal protection – all file operations are confined to the sandboxed working directory.
Prompt‑injection detection in URLs, fetched HTML and generated content.
Blocked domains & extensions (localhost, private IP ranges, executable/script files).
Content‑size limits – max 50 MB for page fetches, max 100 MB for file downloads.
HTML sanitisation – removes
<script>,<iframe>, event handlers and other risky elements before processing.Cookie/banner handling – optional removal of consent banners and pop‑ups during fetch.
© 2025 Undici77 – All rights reserved.
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Securely fetches web content, extracts links and metadata, and downloads files through a sandboxed MCP server without JavaScript execution. Includes prompt-injection detection and comprehensive HTML sanitization for safe web data retrieval.