pypi · mcp-server-fetch2026.6.4

Evidence

from typing import Annotated, Tuple

from urllib.parse import urlparse, urlunparse

import markdownify

RemediationAI

The problem is that the tool named 'fetch' collides with standard HTTP/network tool names, creating ambiguity and potential confusion in tool resolution. Rename the tool by adding a server-specific namespace prefix (e.g., 'fetch_web_content' or 'mcp_fetch_url') in the @server.call_tool decorator and tool definition. This eliminates naming collisions and makes the tool's origin and purpose unambiguous to callers and LLMs. Verify by checking that tool listings (via list_tools) show the new namespaced name and that no other tools share the prefix.

Evidence

async def check_may_autonomously_fetch_url(url: str, user_agent: str, proxy_url: str | None = None) -> None:

    """

    Check if the URL can be fetched by the user agent according to the robots.txt file.

    Raises a McpError if not.

    """

    from httpx import AsyncClient, HTTPError

RemediationAI

The problem is that check_may_autonomously_fetch_url uses a hardcoded DEFAULT_USER_AGENT_AUTONOMOUS credential without validating the caller's identity or authorization to make autonomous requests. Modify the function signature to accept an optional caller_context or authorization_token parameter, and validate it against a caller registry or authorization service before proceeding with the HTTP request. This ensures that only authorized callers can make autonomous fetches and prevents privilege escalation. Test by passing invalid or missing authorization tokens and confirming the function raises McpError before making any HTTP calls.

Evidence

from typing import Annotated, Tuple

from urllib.parse import urlparse, urlunparse

import markdownify

RemediationAI

The problem is that fetch_url uses module-level DEFAULT_USER_AGENT_AUTONOMOUS or DEFAULT_USER_AGENT_MANUAL credentials without consulting the caller's identity or per-request authorization context, allowing any caller to fetch arbitrary URLs. Add a caller_context or authorization_token parameter to fetch_url, validate it against an authorization service, and use caller-specific credentials or rate limits instead of module-level defaults. This ensures each caller is authenticated and authorized before making external requests. Verify by attempting to call fetch_url without valid authorization and confirming it raises McpError before any HTTP request is made.

Evidence

from typing import Annotated, Tuple

from urllib.parse import urlparse, urlunparse

import markdownify

import readabilipy.simple_json

from mcp.shared.exceptions import McpError

from mcp.server import Server

from mcp.server.stdio import stdio_server

from mcp.types import (

    ErrorData,

    GetPromptResult,

    Prompt,

    PromptArgument,

    PromptMessage,

    TextContent,

    Tool,

    INVALID_PARAMS,

    INTERNAL_ERROR,

)

from protego import Protego

from pydantic import BaseModel, Field, AnyUr

RemediationAI

The problem is that fetch_url returns extracted HTML/markdown content from untrusted external URLs directly to the LLM context without source attribution, making it impossible for the LLM or user to verify provenance or detect injected content. Wrap the returned content with explicit source delimiters and attribution markers (e.g., '<!-- Source: {url} -->' or '[Content from {url}]') and include metadata such as fetch timestamp, HTTP status, and content hash. This allows the LLM and downstream consumers to track content origin and detect tampering. Test by fetching a known URL and verifying that the returned markdown includes the source URL and timestamp in a parseable format.

Evidence

# Use a Python image with uv pre-installed

FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS uv

# Install the project into `/app`

WORKDIR /app

# Enable bytecode compilation

ENV UV_COMPILE_BYTECODE=1

# Copy from the cache instead of linking since it's a mounted volume

ENV UV_LINK_MODE=copy

# Install the project's dependencies using the lockfile and settings

RUN --mount=type=cache,target=/root/.cache/uv \

    --mount=type=bind,source=uv.lock,target=uv.lock \

    --mount=type=bind,source=py

RemediationAI

The problem is that the Dockerfile runs the container as root by default, giving any RCE vulnerability or malicious code full system privileges. Add a USER directive before the CMD or ENTRYPOINT in the final stage (e.g., 'RUN useradd -u 1000 nonroot && USER 1000' or 'USER nonroot' on distroless images) to run the MCP server as a non-root user. This limits the blast radius of any container escape or code execution vulnerability to the privileges of that user. Verify by building the image, running it, and confirming that the process runs as the specified non-root user (e.g., 'docker run <image> id' should show uid=1000).

Evidence

Metadata-Version: 2.4

Name: mcp-server-fetch

Version: 2026.6.4

Summary: A Model Context Protocol server providing tools to fetch and convert web content for usage by LLMs

Author: Anthropic, PBC.

Maintainer-email: Jack Adamson <jadamson@anthropic.com>

License: MIT

License-File: LICENSE

Keywords: automation,http,llm,mcp

Classifier: Development Status :: 4 - Beta

Classifier: Intended Audience :: Developers

Classifier: License :: OSI Approved :: MIT License

Classifier: Programming Language :: Python

RemediationAI

The problem is that PKG-INFO declares MCP tools but omits an explicit authentication or authorization field, leaving reviewers unable to determine what security mechanisms protect the server. Add an 'auth' or 'authorization' field to PKG-INFO metadata (e.g., 'Authorization: none' or 'Authorization: caller-identity-required') that explicitly documents whether the server relies on network-layer auth, host-level auth, or no auth at all. This makes the security posture transparent and auditable. Verify by re-reading PKG-INFO and confirming that the auth field clearly states the authentication mechanism or explicitly declares 'none'.

Evidence

# Fetch MCP Server

<!-- mcp-name: io.github.modelcontextprotocol/server-fetch -->

A Model Context Protocol server that provides web content fetching capabilities. This server enables LLMs to retrieve and process content from web pages, converting HTML to markdown for easier consumption.

> [!CAUTION]

> This server can access local/internal IP addresses and may represent a security risk. Exercise caution when using this MCP server to ensure this does not expose any sensitive data.

The fetch to

RemediationAI

The problem is that README.md declares MCP tools but omits an explicit authentication or authorization field, leaving users and reviewers unable to determine what security mechanisms protect the server. Add a dedicated 'Authentication' or 'Security' section to README.md that explicitly documents the authentication mechanism (e.g., 'This server requires caller identity validation via MCP context' or 'No authentication is enforced; network-layer security is assumed'). This makes the security posture transparent and auditable. Verify by reviewing the README and confirming that the Authentication section clearly states the mechanism or explicitly declares that no authentication is enforced.

Evidence

from typing import Annotated, Tuple

from urllib.parse import urlparse, urlunparse

import markdownify

import readabilipy.simple_json

from mcp.shared.exceptions import McpError

from mcp.server import Server

from mcp.server.stdio import stdio_server

from mcp.types import (

    ErrorData,

    GetPromptResult,

    Prompt,

    PromptArgument,

    PromptMessage,

    TextContent,

    Tool,

    INVALID_PARAMS,

    INTERNAL_ERROR,

)

from protego import Protego

from pydantic import BaseModel, Field, AnyUr

RemediationAI

The problem is that the tool description contains imperative language directing the LLM to invoke other tools (e.g., 'invoke the write_file tool'), which is a cross-tool chaining injection that escalates the caller's authorization beyond the single tool they authorized. Rewrite the tool description to describe only what THIS tool does (e.g., 'Fetches and converts web content to markdown') without mentioning or directing the LLM to call other tools; if composition is required, document it in human-readable documentation outside the tool description. This prevents the LLM from being tricked into invoking unauthorized tools. Verify by reviewing the tool description in the @server.call_tool decorator and confirming it contains no imperative phrases like 'invoke', 'call', or 'also use'.

LLM consensus