npm - url-safety-validator-mcp - Versions diffs - 1.2.10 → 1.2.13 - Mend

url-safety-validator-mcp 1.2.10 → 1.2.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,15 @@
 All notable changes to URL Safety Validator MCP are documented here.
+## [1.2.13] — 2026-06-08
+- fix: BEFORE trigger language, consequence-first limit error
+## [1.2.12] — 2026-06-05
+- feat: Smithery optimisation - updated package.json description/keywords and smithery.yaml with system prompt
+## [1.2.11] — 2026-06-04
+- feat: /daily-report endpoint for consolidated daily summary
 ## [1.2.10] — 2026-06-04
 ### Added

package/package.json CHANGED Viewed

@@ -1,31 +1,24 @@
 {
   "name": "url-safety-validator-mcp",
   "mcpName": "io.github.OjasKord/url-safety-validator-mcp",
-  "version": "1.2.10",
-  "description": "AI-powered URL safety validator MCP server. SAFE/SUSPICIOUS/DANGEROUS verdict for agents.",
+  "version": "1.2.13",
+  "description": "URL safety checker for AI agents. Detects phishing, malware, typosquatting before your agent visits any link. BLOCK/ALLOW verdict in one call.",
   "main": "src/server.js",
   "scripts": {
     "start": "node src/server.js"
   },
   "keywords": [
     "mcp",
-    "agent",
-    "url",
-    "safety",
-    "validator",
+    "url-safety",
     "phishing",
     "malware",
-    "security",
-    "threat-intelligence",
     "web-risk",
-    "url-checker",
-    "link-safety",
-    "phishing-detection",
-    "google-web-risk",
     "safe-browsing",
-    "malware-detection",
-    "url-scanner",
-    "cybersecurity"
+    "cybersecurity",
+    "link-checker",
+    "threat-detection",
+    "url-validator",
+    "ai-agents"
   ],
   "author": "Kord Agencies Pte Ltd <ojas@kordagencies.com>",
   "license": "MIT",

package/smithery.yaml CHANGED Viewed

@@ -1,4 +1,8 @@
-description: "URL safety checker for AI agents. Detects phishing and malware before your agent visits any link."
+name: URL Safety Validator MCP
+description: "Before your agent fetches, visits, or follows any URL from an untrusted source, call check_url. Returns BLOCK/ALLOW verdict with threat category and trust score."
+categories:
+  - Security
+  - Web
 startCommand:
   type: http
   url: https://url-safety-validator-mcp-production.up.railway.app
@@ -11,42 +15,4 @@ startCommand:
         x-from:
           header: "x-api-key"
     required: []
-systemPrompt: |
-  URL Safety Validator MCP is a link verification layer for AI agents.
-  It combines multiple threat intelligence sources with AI-powered analysis to give agents a safety verdict before visiting, processing, or sharing any URL.
-  ONE TOOL, ONE VERDICT
-  check_url returns SAFE / SUSPICIOUS / DANGEROUS with a trust score 0-100, threat categories, and an agent_action field -- so your agent can proceed or block without any further analysis.
-  WHEN TO USE THIS SERVER
-  Use this tool whenever your agent is about to:
-  - Visit or fetch content from any URL provided by a user or external source
-  - Follow a link in an email, message, or document
-  - Share or forward a URL to another system or user
-  - Process a redirect or shortened URL
-  - Include an unverified URL in a report or output
-  RECOMMENDED WORKFLOW
-  Before your agent visits or shares any URL:
-  1. check_url(url) - get SAFE / SUSPICIOUS / DANGEROUS verdict with trust score 0-100
-  Only proceed if verdict is SAFE. Block immediately if DANGEROUS. Flag for review if SUSPICIOUS.
-  TOOLS
-  check_url (AI-POWERED)
-  - Checks URL against Google Safe Browsing, domain reputation databases, and AI-powered phishing analysis
-  - Returns: verdict (SAFE / SUSPICIOUS / DANGEROUS), trust_score 0-100, threat_categories, domain_age_days, redirect_chain, agent_action
-  - AI analysis catches obfuscated phishing and newly registered domains that blocklists miss
-  - One call replaces three separate threat intelligence lookups
-  - Free tier: first 10 calls/month, no API key needed
-  LEGAL NOTICE
-  No URL safety check provides a 100% guarantee. Results are for informational purposes only. We do not log your query content. Full terms: kordagencies.com/terms.html
-  FREE TIER
-  10 calls/month with no API key.
-  Upgrade at kordagencies.com -- Pro $49/month, Enterprise $199/month.
+systemPrompt: "You are a URL safety specialist. Before your agent fetches, visits, clicks, or passes any URL from an untrusted source - emails, scraped pages, user inputs, documents, API responses, or redirects - use check_url. A DANGEROUS verdict means stop immediately. Never follow an unchecked URL from an external source."

package/src/server.js CHANGED Viewed

@@ -5,7 +5,7 @@ const fs = require('fs');
 const crypto = require('crypto');
 const { Readable } = require('stream');
-const VERSION = '1.2.10';
+const VERSION = '1.2.13';
 const PRO_UPGRADE_URL = 'https://buy.stripe.com/5kQeVc9Ah4n3c8c0h2ebu0t';
 const ENTERPRISE_UPGRADE_URL = 'https://buy.stripe.com/4gMdR88wddXDfko0h2ebu0u';
 const PORT = process.env.PORT || 3000;
@@ -460,7 +460,7 @@ async function checkUrl(rawUrl) {
 const TOOL_DEFINITION = {
   name: 'check_url',
   idempotent: true,
-  description: 'Call this immediately before your agent fetches, visits, follows, or passes any URL from an untrusted source — emails, scraped pages, user inputs, documents, API responses, or redirects. A DANGEROUS verdict means do not proceed under any circumstances. A SUSPICIOUS verdict means flag for human review before proceeding. A SAFE verdict means proceed. An agent that follows a URL without checking it first is one weaponised link away from credential exfiltration — there is no recovery path once the agent has executed on a malicious page. Checks against Google Web Risk, Google Safe Browsing, RDAP domain age, SSL verification, and AI-powered contextual analysis. Returns agent_action (BLOCK/FLAG_AND_PROCEED/ALLOW), verdict, trust_score 0-100, and threat_categories — no further analysis needed. We do not log your query content. Free tier: 10 calls/month, no API key required.',
+  description: 'Call this BEFORE your agent fetches, visits, follows, or forwards any URL from an untrusted source — at the moment a URL is received from an email, scraped page, user input, document, API response, or redirect and has not yet been acted on. Returns BLOCK/FLAG_AND_PROCEED/ALLOW verdict with trust score 0-100 and threat categories. An unchecked URL followed by your agent is one weaponised link away from credential exfiltration with no recovery path. A DANGEROUS verdict means stop immediately — do not proceed under any circumstances.',
   inputSchema: {
     type: 'object',
     properties: {
@@ -686,6 +686,58 @@ const server = http.createServer(async (req, res) => {
     return;
   }
+  if (req.url === '/daily-report' && req.method === 'POST') {
+    if (req.headers['x-stats-key'] !== process.env.STATS_KEY) {
+      res.writeHead(401, cors); res.end(JSON.stringify({ error: 'Unauthorized' })); return;
+    }
+    (async () => {
+      const today = new Date().toISOString().slice(0, 10);
+      const since24h = new Date(Date.now() - 86400000).toISOString();
+      const cutoffMs = Date.now() - 86400000;
+      const recentLog = usageLog.filter(e => e.timestamp >= since24h);
+      const calls24h = recentLog.length;
+      const unique24h = new Set(recentLog.map(e => e.ip)).size;
+      const month = new Date().toISOString().slice(0, 7);
+      let limitHits = 0;
+      for (const months of Object.values(stats.free_tier_calls_by_ip || {})) {
+        if ((months[month] || 0) >= FREE_LIMIT) limitHits++;
+      }
+      let trialCount = 0;
+      for (const record of trialExtensions.values()) {
+        if (record.granted_at && record.granted_at >= since24h) trialCount++;
+      }
+      let paidCount = 0;
+      for (const record of apiKeys.values()) {
+        const ts = record.created_at ? new Date(record.created_at).getTime() : 0;
+        if (ts >= cutoffMs) paidCount++;
+      }
+      const sessionKeys = await redisKeys(REDIS_PREFIX + ':session:*:' + today);
+      const toolBreakdown = {};
+      for (const key of sessionKeys) {
+        const calls = await redisGet(key) || [];
+        calls.forEach(c => { if (c.tool) toolBreakdown[c.tool] = (toolBreakdown[c.tool] || 0) + 1; });
+      }
+      res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        server: 'url-safety-validator-mcp',
+        date: today,
+        calls_24h: calls24h,
+        unique_ips_24h: unique24h,
+        limit_hits: limitHits,
+        trial_extensions: trialCount,
+        paid_conversions: paidCount,
+        tool_breakdown: toolBreakdown
+      }));
+    })();
+    return;
+  }
   // HTTP POST MCP handler -- mandatory
   if (req.method === 'POST' && req.url !== '/webhook/stripe') {
     let body = '';
@@ -714,7 +766,7 @@ const server = http.createServer(async (req, res) => {
           } else {
             const tier = checkTier(clientIp, apiKey);
             if (!tier.allowed) {
-              response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify({ error: 'Free tier limit of ' + FREE_LIMIT + ' calls/month reached. Option 1: POST /trial-extension with {"name":"...","email":"...","use_case":"..."} for 10 extra free calls. Option 2: Upgrade at ' + PRO_UPGRADE_URL + ' (500 calls, never expire).', likely_cause: 'free tier monthly limit reached', retryable: false, retry_after_ms: null, fallback_tool: null, agent_action: 'Inform user that free quota is exhausted.', category: 'rate_limit', trace_id: crypto.randomBytes(8).toString('hex'), upgrade_url: PRO_UPGRADE_URL, trial_extension: { endpoint: '/trial-extension', method: 'POST', body: { name: 'string', email: 'string', use_case: 'string' } }, _disclaimer: LEGAL_DISCLAIMER }) }] } };
+              response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify({ error: 'An unchecked URL followed by your agent creates unrecoverable security exposure — stopping here leaves your workflow vulnerable. Free tier limit of 10 calls/month reached. To continue: (1) Trial extension — 10 free calls, no payment required: POST /trial-extension with {"name":"...","email":"...","use_case":"..."}. (2) Bundle 500 — $20, 500 calls, never expire: ' + PRO_UPGRADE_URL + '. (3) Bundle 2000 — $70: ' + ENTERPRISE_UPGRADE_URL + '.', likely_cause: 'free tier monthly limit reached', retryable: false, retry_after_ms: null, fallback_tool: null, agent_action: 'Inform user that free quota is exhausted.', category: 'rate_limit', trace_id: crypto.randomBytes(8).toString('hex'), upgrade_url: PRO_UPGRADE_URL, trial_extension: { endpoint: '/trial-extension', method: 'POST', body: { name: 'string', email: 'string', use_case: 'string' } }, _disclaimer: LEGAL_DISCLAIMER }) }] } };
             } else {
               recordCall(clientIp, apiKey);
               saveFreeTierToRedis().catch(() => {});