42
/ 100
1 month ago
glama

FreeTaxUSA MCP Server

Enables AI agents to file taxes through FreeTaxUSA by automating a browser, allowing form filling, navigation, and refund checks via natural language.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
🚨
Secret credentials may flow to a network call
1 flow detected: HERMES_CLIENT_TOKEN. We can’t prove the destination matches the brand the credential belongs to.
🚨
Known vulnerabilities in dependencies: 1 critical, 4 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
🔐
You'll be asked for 1 credential: HERMES_CLIENT_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies1 critical4 high

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

criticalvitest@3.1.2GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

high@modelcontextprotocol/sdk@1.12.1GHSA-345p-7cg4-v4c7

@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

high@modelcontextprotocol/sdk@1.12.1GHSA-8r9q-7v3j-jr4g

Anthropic's MCP TypeScript SDK has a ReDoS vulnerability

high@modelcontextprotocol/sdk@1.12.1GHSA-w48q-cv73-mx4w

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

highplaywright@1.52.0GHSA-7mvr-c777-76hp

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configFREETAXUSA_HEADLESStrue Set to false to see the browser window
configFREETAXUSA_LEGACY_AUTHfalse Opt back into the embedded Playwright login even when Hermes is configured-but-down. Default fails loudly on a broker outage.
configFREETAXUSA_TAX_YEAR2025 Tax year to file (change for prior years)
configFREETAXUSA_USER_DATA_DIR~/.freetaxusa-mcp/browser-profile/ Browser profile directory
🔐 secretHERMES_CLIENT_TOKENHERMES_URL _(unset)_ Hermes broker URL. When set with , Hermes is the authoritative auth path — see [Authentication via Hermes](#authentication-via-hermes).
configHERMES_SCHEMEcookie-session Credential scheme to request from Hermes.
configHERMES_SERVICEfreetaxusa Service name registered with Hermes.
configHERMES_URL_(unset)_ Hermes broker URL. When set with HERMES_CLIENT_TOKEN, Hermes is the authoritative auth path — see [Authentication via Hermes](#authentication-via-hermes).
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 7 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/schwarztim-freetaxusa-mcp-1jscon)](https://m8ven.ai/mcp/schwarztim-freetaxusa-mcp-1jscon)
commit: 3d9013aa813202e54ea605507d427a6b537cf161
code hash: 0439dbb59d062f93fdc4d35a58430696ee971944c9a026afbe3881b5e5e68455
verified: 6/11/2026, 12:05:19 PM
view raw JSON →