← All tools

mcp-fetch-server

MCP

An MCP server offering simple HTTP fetch functionality

v1.0.2 MIT Tested 8 Feb 2026
7.6

Dimension scores

Security 7.0
Reliability 7.0
Agent usability 8.0
Compatibility 9.0
Code health 8.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK Server uses stdio transport only; OpenAI SDK prefers SSE but can work with stdio via adapters
LangChain Tool schemas use optional parameters with defaults which may need explicit handling in LangChain adapters

Security findings

MEDIUM

URL validation relies solely on Zod's z.string().url() which may not catch all malicious patterns

MEDIUM

Headers object accepts arbitrary key-value pairs without validation

MEDIUM

Error messages expose internal details

MEDIUM

Private IP check may have edge cases

Reliability

Success rate

78%

Calls made

100

Avg latency

850ms

P95 latency

2500ms

Failure modes

  • Network timeouts: No timeout configured on fetch operations, could hang indefinitely on slow connections
  • Invalid URL handling: While Zod validates URLs, edge cases like internationalized domains or unusual protocols may fail silently
  • Memory exhaustion: Large responses could consume excessive memory before length limiting is applied - limits are applied AFTER fetching entire response
  • JSON parsing failures: Invalid JSON returns generic error, making debugging difficult
  • JSDOM parsing failures: Malformed HTML could crash the JSDOM parser without graceful degradation
  • Unicode/special character handling: No explicit handling for encoding issues in txt/markdown conversion
  • Concurrent request handling: No rate limiting or connection pooling, could exhaust resources under load
  • Empty response handling: Empty strings from start_index >= length return empty without indication
  • Private IP validation timing: Validation happens before fetch but URL could redirect to private IP
  • Response header validation: No checks for content-type mismatches (e.g., HTML served as JSON)

Code health

License

MIT

Has tests

Yes

Has CI

No

Dependencies

9

Well-maintained TypeScript MCP server with good test coverage. Has comprehensive tests (Fetcher.test.ts), TypeScript with strict mode enabled, MIT license, detailed README with usage examples. Published to npm (v1.0.2). Uses modern dependencies (@modelcontextprotocol/sdk, jsdom, zod). Has jest testing setup with ts-jest. Missing: CI/CD config, CHANGELOG, and git history metadata unavailable. Code quality is high with proper error handling, input validation via Zod, and security considerations (private IP blocking). Minor deductions for no CI automation and no changelog maintenance.

View source on GitHub →