Open-Source MCP Server Cuts AI Token Costs by 93% While Blocking Prompt Injection Attacks
Key Takeaways
- ▸mcp-safe-fetch reduces token consumption by an average of 93% across test sites, with one example showing a reduction from 75K to 2K tokens
- ▸The tool strips prompt injection vectors including hidden HTML elements, fake LLM delimiters, zero-width characters, and suspicious encoded payloads
- ▸Uses deterministic sanitization methods (regex, cheerio, turndown) rather than AI-based filtering, achieving zero false positives in testing
Summary
Developer Tim Stark has released mcp-safe-fetch, an open-source Model Context Protocol (MCP) server that addresses two critical issues in agentic AI coding tools: excessive token consumption and prompt injection vulnerabilities. The tool demonstrates dramatic efficiency gains, reducing token usage from approximately 75,000 to just 2,000 tokens when fetching a single Node.js documentation page through Claude Code's native WebFetch tool — a 97% reduction for that example, with an average of 93% across four test sites.
The problem stems from how AI coding assistants currently handle web content and external files. Tools like Claude Code pass raw content directly into the language model's context window, including React hydration scripts, hidden HTML elements, zero-width characters, base64-encoded payloads, and even deliberately adversarial content designed to manipulate LLM behavior. This not only wastes tokens on irrelevant content but also exposes the AI to prompt injection attacks where malicious actors embed instructions in web pages or files that could alter the model's behavior.
mcp-safe-fetch provides three sanitization tools — safe_fetch, safe_read, and safe_exec — that act as drop-in replacements for Claude Code's native WebFetch, Read, and Bash tools. The sanitization layer uses deterministic methods (regex, cheerio, and turndown) rather than AI-based filtering, ensuring predictable behavior. The tool strips hidden HTML elements, off-screen content, script tags, zero-width characters, suspicious base64 payloads, and fake LLM delimiters while preserving all visible content. According to Stark's testing, the tool achieved zero false positives across test cases.
The MCP server can be installed via a simple npx command and offers flexible deployment options. By default, it only blocks the native WebFetch tool while leaving Read and Bash available for trusted local operations, but a strict mode is available to route all content through sanitization. The project is open-source under an MIT license and addresses growing concerns about both the cost efficiency and security of agentic AI systems that interact with untrusted external content.
- Provides drop-in replacements for Claude Code's WebFetch, Read, and Bash tools with compatible parameters and output formats
- Open-source under MIT license with flexible deployment: default mode only blocks WebFetch, while strict mode routes all content through sanitization
Editorial Opinion
This project highlights a significant blindspot in the current generation of AI coding assistants: the assumption that all fetched content is benign. As agentic systems gain more autonomy to browse the web and execute commands, the attack surface for prompt injection grows exponentially. What's particularly noteworthy is the dual benefit — the 93% token reduction isn't just a cost optimization, it's also a quality improvement, as the LLM can focus on actual content rather than parsing through framework boilerplate. The deterministic approach is the right architectural choice here; using another LLM to sanitize content for an LLM would introduce latency, cost, and potential failure modes that defeat the purpose.
