5bats

How to stop your MCP server or Claude Desktop fetching malicious content

Claude Desktop, on its own, can only talk. The moment it becomes genuinely useful is when you connect an MCP server — a small add-on that gives the app a new power, like fetching a web page, reading your files, or running a search. You follow a setup guide, paste a little configuration, restart the app, and suddenly Claude can go and get things for you. It feels like installing a browser extension: a few clicks, a new superpower.

Here is the part the “best MCP servers” lists never mention. An MCP server runs with whatever access you hand it, and a fetch tool — one that pulls web pages into the conversation — is exactly the kind of power an attacker wants to borrow. A page can carry hidden instructions that hijack the model the instant it reads them. And a careless fetcher can be talked into requesting addresses on your own network that were never meant to face the world. The convenience of “just let Claude fetch it” quietly turns into “let a stranger’s web page, and a path to my internal network, into the room.”

mcp-safe-fetch is a fetch tool built to be the safe one. It is the same sanitiser as safe-fetch, packaged as an MCP server for Claude Desktop: every page it fetches is cleaned and wrapped as untrusted data before the model sees it, and it refuses to be pointed at anything but a genuine, public address.

The problem, in plain terms

There are two separate risks bundled into “let the app fetch a page,” and a typical fetch tool guards against neither. The first is indirect prompt injection — hidden text on the page that the model reads as a command (the same risk safe-fetch addresses on the command line). The second is SSRF, Server-Side Request Forgery: a fetcher that will dutifully request http://169.254.169.254/ or your router’s admin page if asked, handing an outsider a window onto things inside your firewall. A fetch tool is powerful precisely because it reaches out on your behalf — which is what makes an unguarded one dangerous.

Who runs into this

People using Claude Desktop (or another MCP client) as an app, not a terminal — exactly the audience told to “add these ten MCP servers to supercharge your assistant,” with no mention of what a fetch tool can be tricked into doing.

What mcp-safe-fetch does — and how it works

It exposes two tools over MCP — fetch_url and search — and runs both through the same validate → fetch → sanitise → wrap path.

How mcp-safe-fetch cleans a fetch for Claude DesktopA fetched web page is run through mcp-safe-fetch, which strips hidden instructions, blocks requests to internal addresses, and wraps the result as untrusted data before Claude Desktop reads it.Web pagehidden instructionsmcp-safe-fetchsanitise + SSRF guard,wrap as untrusted dataClaude Desktopreads data, not commands
The page is stripped of hidden tricks and the fetch can't be steered at your network — the model gets data, not commands.

The same sanitiser, as an MCP server

Every fetched page is stripped of the hidden injection vectors — invisible Unicode, scripts and comments, off-screen and same-colour text, encoded payloads, fake model delimiters, markdown-image exfiltration links — capped at a safe size, and wrapped in an untrusted-content envelope. Search works identically: results are untrusted data, treated exactly like any other fetched page.

The SSRF guard

This is the part that is specific to running as a server reachable from a powerful app. Before fetching, mcp-safe-fetch allows only http/https, rejects raw IP-literals, resolves the host and pins that validated public IP, and re-validates every redirect hop — so a redirect cannot quietly send the request to an internal address.

The model rule is load-bearing

The wrapper tags are inert on their own; they only work because a rule tells the model what they mean. The setup adds a line to your Claude Desktop instructions that marks fetched content as external data the model must never act on (the exact rule ships with the tool). Skip that line and the wrapping is just decoration — so it is part of the install, not an afterthought.

Install & use it

mcp-safe-fetch runs on macOS and needs Claude Desktop plus Docker Desktop. It is added like any MCP server — a small entry in claude_desktop_config.json pointing at the container — after which you restart Claude Desktop and add the model rule. A step-by-step guide (made for people new to Docker and MCP) ships in the repo:

docker pull ghcr.io/sharkyger/mcp-safe-fetch:latest

Then follow the install guide to register it and add the untrusted-data rule. Full setup and source are on GitHub: github.com/sharkyger/mcp-safe-fetch (MIT).

FAQ

Are Claude Desktop MCP servers safe?

An MCP server runs with the access you grant it, and a fetch tool can pull in hostile web content or be pointed at your private network. mcp-safe-fetch is a fetch tool built to be safe: it sanitises every page and refuses to resolve internal addresses.

What is the SSRF guard for?

Server-Side Request Forgery — tricking a fetcher into requesting an internal address such as your router or a cloud metadata endpoint. mcp-safe-fetch rejects IP-literals, pins the resolved public IP, and re-checks every redirect, so a fetch can’t be steered at services behind your firewall.

Do I need Claude Code, or does this work with the Claude Desktop app?

This is for the Claude Desktop app (and other MCP clients). If you work in Claude Code on the command line, its sibling safe-fetch is the one you want — same sanitiser, different home.

mcp-safe-fetch is one of the 5bats AI-agent security tools. On the command line, safe-fetch does the same job for Claude Code; to stop fetched or sub-agent text being run as instructions inside Claude Code, see claude-code-prompt-injection-gate.

See the macOS install guide and source on GitHub →

Guides

Compare

Deutsch: Impressum · Datenschutz

© 2026 | 5bats
No cookies. No tracking. No outbound calls.