Provides tools for querying native token balances, ERC20 tokens, and transaction details, alongside security assessments for wallets and smart contracts.
Enables scraping of Google search results (SERP), including snippets and related searches, and retrieving autocomplete keyword suggestions.
Provides the capability to generate website screenshots in JPEG format.
Converts web pages and HTML content into clean, structured Markdown with support for headings, lists, and tables.
Supports native token balance checks and transaction queries on the Optimism blockchain.
Allows for native token balance and transaction data retrieval on the Polygon network.
Integrates VirusTotal for phishing and malware detection during URL scans and for comprehensive threat intelligence lookups.
MCP Services
Multi-tool MCP server + REST API for AI agents. 29 tools across web scraping, SEO analysis, agent memory, screenshot/PDF generation, domain intelligence, content extraction, multi-chain EVM blockchain queries, and security toolkit.
Live: mcp.skills.ws | Docs: llms.txt | npm: npm install -g mcp-services
Quick Start
Use the hosted version (no setup)
Add to your MCP client config (Claude Desktop, Cursor, OpenClaw, etc.):
{
"mcpServers": {
"mcp-services": {
"url": "https://mcp.skills.ws/mcp/sse"
}
}
}Free tier: 10 calls/day, no auth needed.
Self-host
npm install -g mcp-services
mcp-services
# -> running on http://localhost:3100Tools (29)
Web Scraping
Tool | Endpoint | Description |
|
| URL to clean Markdown with headings, lists, links, code blocks, tables |
|
| Crawl a site from starting URL, follow internal links (depth 1-3, max 20 pages) |
|
| Extract structured data: JSON-LD, Open Graph, meta tags, headings, links, images, tables |
SEO Toolkit
Tool | Endpoint | Description |
|
| Google SERP scraping -- top 20 results, People Also Ask, featured snippets, related searches |
|
| Full on-page SEO audit with score (0-100) -- title, meta, headings, images, schema, Open Graph |
|
| Google Autocomplete keyword suggestions with A-Z expansion (100+ ideas) |
Agent Memory
Tool | Endpoint | Description |
|
| Store a memory (key-value, namespace-scoped, with tags). Upserts on key conflict |
|
| Retrieve a memory by namespace + key |
|
| Full-text search across memories in a namespace |
|
| List all memories in a namespace with pagination |
|
| Delete a memory by namespace + key |
Screenshot & PDF
Tool | Endpoint | Description |
|
| PNG/JPEG screenshot of any URL |
|
| Generate PDF of any URL |
|
| Convert PDF (from URL) to Word/DOCX -- text extraction with heading detection |
Content Extraction
Tool | Endpoint | Description |
|
| Fetch URL, strip nav/ads/scripts, convert to Markdown |
|
| Extract text from image URL via Tesseract.js OCR |
Domain Intelligence
Tool | Endpoint | Description |
|
| WHOIS registrar, creation date, expiry, name servers |
|
| DNS records -- |
|
| SSL certificate issuer, validity dates, expiry countdown, fingerprint |
Blockchain (6 EVM chains)
Tool | Endpoint | Description |
|
| Native token balance for any address |
|
| ERC20 token balance, symbol, decimals |
|
| Transaction details -- from, to, value, gas, status |
Supported chains: Ethereum, Base, Arbitrum, Optimism, Polygon, Celo
Security Toolkit
Tool | Endpoint | Description |
|
| Phishing & malware detection -- VirusTotal + heuristics (typosquatting, homoglyphs, suspicious TLDs, free hosting) |
|
| Ethereum wallet risk assessment -- Etherscan verification, tx patterns, OFAC sanctions, address poisoning warnings |
|
| Smart contract honeypot & risk detection -- Honeypot.is + source code analysis (mint, blacklist, fee manipulation, proxy) |
|
| Email authentication check -- SPF, DKIM, DMARC, MX records via DNS |
|
| IOC lookup -- AbuseIPDB + VirusTotal + OTX AlienVault with weighted confidence scoring for IPs, domains, URLs, hashes |
|
| Security header score (0-100) -- HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, cookie flags |
|
| Information leakage detection -- Server version, X-Powered-By, debug headers, CORS misconfiguration |
Security tools degrade gracefully without API keys (heuristics-only mode). Optional keys: VT_API_KEY, ABUSEIPDB_API_KEY, ETHERSCAN_API_KEY.
Authentication
Three tiers -- use whichever fits:
Tier | How | Limit | Cost |
Free | No auth needed | 10 calls/day per IP | $0 |
API Key |
| Unlimited | $9/mo |
x402 |
| Pay per call | $0.005/call |
API Key
Subscribe via Stripe to get an unlimited API key:
For migration only, query-string API keys (?apikey=) can be temporarily re-enabled with ALLOW_APIKEY_QUERY=true. This mode is deprecated; prefer X-Api-Key.
# 1. Create checkout session
curl -X POST https://mcp.skills.ws/billing/checkout
# Returns: { "url": "https://checkout.stripe.com/..." }
# 2. Complete payment at the Stripe URL
# 3. You'll receive your API key on the success page (shown once only -- save it)
# 4. Use it
curl -H "X-Api-Key: mcp_your_key" "https://mcp.skills.ws/api/whois?domain=example.com"x402 Pay-per-call
No account needed. Pay with USDC or USDT on Base or Celo. x402-compatible agents handle payment automatically.
curl -H "X-Payment: <base64-encoded-json>" "https://mcp.skills.ws/api/screenshot?url=https://example.com"REST API
All tools are also available as REST endpoints:
# Web Scraping
curl "https://mcp.skills.ws/api/scrape?url=https://example.com"
curl "https://mcp.skills.ws/api/crawl?url=https://example.com&depth=2&maxPages=10"
curl "https://mcp.skills.ws/api/extract?url=https://example.com"
# SEO
curl "https://mcp.skills.ws/api/serp?keyword=mcp+server"
curl "https://mcp.skills.ws/api/onpage-seo?url=https://example.com"
curl "https://mcp.skills.ws/api/keywords?keyword=ai+agents"
# Memory
curl -X POST "https://mcp.skills.ws/api/memory" \
-H "Content-Type: application/json" \
-d '{"namespace":"my-agent","key":"greeting","value":"Hello world","tags":["demo"]}'
curl "https://mcp.skills.ws/api/memory?namespace=my-agent&key=greeting"
curl "https://mcp.skills.ws/api/memory/search?namespace=my-agent&query=hello"
# Domain Intelligence
curl "https://mcp.skills.ws/api/whois?domain=example.com"
curl "https://mcp.skills.ws/api/dns?domain=example.com&type=ALL"
curl "https://mcp.skills.ws/api/ssl?domain=example.com"
# Content
curl "https://mcp.skills.ws/api/screenshot?url=https://example.com&format=png"
curl "https://mcp.skills.ws/api/pdf?url=https://example.com"
curl "https://mcp.skills.ws/api/pdf2docx?url=https://example.com/document.pdf"
# Blockchain
curl "https://mcp.skills.ws/api/chain/balance?address=0x...&chain=ethereum"
curl "https://mcp.skills.ws/api/chain/erc20?address=0x...&token=0x...&chain=celo"
# Security
curl "https://mcp.skills.ws/api/security/url-scan?url=https://suspicious-site.com"
curl "https://mcp.skills.ws/api/security/wallet-check?address=0x...&chain=ethereum"
curl "https://mcp.skills.ws/api/security/contract-scan?address=0x...&chainId=1"
curl "https://mcp.skills.ws/api/security/email-headers?domain=example.com"
curl "https://mcp.skills.ws/api/security/threat-intel?ioc=8.8.8.8&type=ip"
curl "https://mcp.skills.ws/api/security/header-audit?url=https://example.com"
curl "https://mcp.skills.ws/api/security/vuln-headers?url=https://example.com"Environment Variables
Variable | Default | Description |
|
| Server port |
|
| Path to Chromium |
|
| Max concurrent browser instances |
|
| Max MCP SSE sessions |
|
| Max concurrent SSE sessions per client IP |
|
| Max SSE connection attempts per IP per window |
|
| SSE connect rate-limit window in ms |
| -- | Comma-separated allowlist for |
| -- | Optional comma-separated allowlist for |
|
| Free tier request limit |
|
| Free-tier rate-limit window in ms |
| -- | Optional Redis backend for shared/distributed rate-limits |
| -- | Comma-separated valid API keys |
|
| Allow deprecated |
| -- | Secret for admin endpoints |
| -- | Stripe API key for Pro subscriptions |
| -- | Stripe webhook signing secret |
| -- | Optional CSV allowlist for webhook source IPs |
|
| Per-IP Stripe checkout creation limit |
|
| x402 price per call |
| -- | x402 payment receiver address |
|
| Maximum accepted payment tx age in seconds (stale txs are rejected) |
|
| Persistent replay-protection cache for used x402 tx hashes |
|
| Set to |
|
| SQLite memory database path |
| -- | VirusTotal API key (free: 4/min, 500/day) |
| -- | AbuseIPDB API key (free: 1000/day) |
| -- | Etherscan API key (free: 5/sec) |
|
| Express trust proxy setting ( |
Reverse proxy & client IP configuration
mcp-services defaults to TRUST_PROXY=false, which means the app ignores X-Forwarded-For and uses the direct socket peer IP for rate limits and free-tier memory namespacing.
Enable TRUST_PROXY only when your deployment is actually behind a trusted reverse proxy/load balancer that rewrites forwarding headers. Common options:
TRUST_PROXY=1when exactly one trusted proxy sits in front of Node.jsTRUST_PROXY=loopbackfor local proxy setupsTRUST_PROXY=<cidr>(or comma-separated values) for explicit trusted proxy ranges
When trust proxy is enabled, Express derives req.ip from X-Forwarded-For according to that trust policy. Ensure your edge proxy:
Appends/sets a valid
X-Forwarded-ForchainPrevents direct untrusted clients from spoofing forwarding headers
Forwards the real client address as the left-most IP in
X-Forwarded-For
If X-Forwarded-For is present while TRUST_PROXY=false, the server logs a defensive warning and ignores that header.
For production, set SSE_ALLOWED_HOSTS and SSE_ALLOWED_ORIGINS to strict, explicit values (only your public MCP domain and trusted app origins). Avoid wildcards or broad internal host lists.
Deployment hardening checklist (recommended)
Set
NODE_ENV=productionKeep
ALLOW_APIKEY_QUERY=false(header auth only)Configure
TRUST_PROXYcorrectly for your network path (do not blindly settrue)Set strict
SSE_ALLOWED_HOSTSandSSE_ALLOWED_ORIGINSUse
REDIS_URLfor shared rate-limits in multi-instance deploymentsRotate
ADMIN_SECRETand Stripe keys periodicallyKeep
X402_TEST_MODE=0in production (enforced by server)Persist
KEYS_FILE,MEMORY_DB_PATH, andX402_TX_CACHE_FILEon durable storageRun
npm auditin CI and fail builds on high/critical vulnerabilities
Production env quickstart
cp .env.production.example .env
# then edit .env values for your domain, proxy topology, redis and secretsStripe webhook edge allowlist auto-sync (nginx)
# Generate CIDR allowlist include from Stripe source and reload nginx
scripts/sync-stripe-webhook-ips.sh \
--out /etc/nginx/snippets/stripe-webhook-allowlist.conf \
--reload "systemctl reload nginx"See deploy/nginx/stripe-webhook.conf.example for the webhook location block.
Security
SSRF protection: URL validation + DNS pre-resolution + private IP blocking + Puppeteer request interception
Domain validation: regex allowlist prevents command injection
Input sanitization: format validation per IOC type, address format checks, chain allowlists
Memory namespace isolation per auth tier (API key hash, IP, or x402)
Rate limiting on free tier
Resource limits: max concurrent browsers, SSE sessions, PDF size cap, 5MB response body limit
Response size limits on external API fetches
Architecture
+------------------------------------+
| Express Server |
| |
| +---------+ +--------------+ |
MCP SSE -------> | MCP SDK | | Auth Layer | |
| | (SSE) | | free/key/x402 | |
| +---------+ +--------------+ |
| |
REST API ------> +--------------------------------+ |
| | 29 Tool Handlers | |
| | scrape | crawl | extract | |
| | serp | onpage_seo | keywords | |
| | memory (5) | screenshot | pdf | |
| | html2md | ocr | whois | dns | |
| | ssl | balance | erc20 | tx | |
| | url_scan | wallet_check | |
| | contract_scan | email_headers | |
| | threat_intel | header_audit | |
| | vuln_headers | |
| +--------------------------------+ |
| | | |
| +-----+----+ +-----+----------+ |
| | Puppeteer| | viem (6 RPCs) | |
| | Chromium | | whois-json | |
| | | | dns/promises | |
| | | | security.js | |
| +----------+ +-----------------+ |
| |
Stripe --------> +--------------------------------+ |
Webhooks | | Billing (stripe.js) | |
| | checkout -> key provisioning | |
| +--------------------------------+ |
+------------------------------------+Stack
Runtime: Node.js 22 + Express
Browser: Puppeteer (Chromium) -- screenshots, PDF, OCR, html2md
Blockchain: viem -- 6 EVM chains via public RPCs
Security: VirusTotal, AbuseIPDB, Etherscan, Honeypot.is, OTX AlienVault + heuristics
Payments: Stripe (subscriptions), x402 protocol (stablecoins on Base/Celo)
MCP:
@modelcontextprotocol/sdkwith SSE transportHosting: Aleph Cloud (decentralized compute)
License
MIT -- Commit Media SARL
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.