74
/ 100
27 days ago
glama

mcp-nexus

A multi-provider MCP server that acts as a unified bridge for Tavily, Brave Search, and GrokSearch APIs. It features a comprehensive Admin UI for managing API key rotation, client authentication, and real-time usage monitoring across all search providers.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry β€” install directly from whichever one you prefer.

// key findings
🚨
Known vulnerabilities in dependencies: 2 critical
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
πŸ”
You'll be asked for 10 credentials: ADMIN_API_TOKEN, BRAVE_API_KEY, BRAVE_USAGE_HASH_SECRET, FIRECRAWL_API_KEY, GROK_API_KEY, GROK_USAGE_HASH_SECRET, KEY_ENCRYPTION_SECRET, TAVILY_BRIDGE_MCP_TOKEN, TAVILY_USAGE_HASH_SECRET, TEST_AES_KEY
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies2 critical1 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

criticalvitest@2.1.8GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

criticalvitest@2.1.8GHSA-9crc-q9x8-hgqq

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

lowuuid@13.0.0GHSA-w5hq-g745-h8pq

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

Depend on this server? Get alerted when its CVEs change.Watch this server free β†’
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
πŸ” secretADMIN_API_TOKENβ€” Edit .env to set your and other configurations
configADMIN_KEYS_EXPORT_RATE_LIMIT_PER_MINUTE
configADMIN_KEYS_IMPORT_RATE_LIMIT_PER_MINUTE
configADMIN_KEY_REVEAL_RATE_LIMIT_PER_MINUTEβ€” Max key reveal attempts per minute in the Admin UI. 20
configADMIN_REGISTRATION_IMPORT_RATE_LIMIT_PER_MINUTE
configADMIN_REGISTRATION_RUN_RATE_LIMIT_PER_MINUTE
πŸ” secretBRAVE_API_KEYβ€” A Brave Search API key. If set, this single key will be used. For multi-key support, add keys via the Admin UI. ""
configBRAVE_HTTP_TIMEOUT_MSβ€” Per-request HTTP timeout for the Brave API. 20000
configBRAVE_MAX_QPSβ€” Max requests per second to the Brave API to stay within rate limits. 1
configBRAVE_MAX_QUEUE_MSβ€” Max time a request can wait in the queue before failing or falling back to Tavily. 30000
configBRAVE_MIN_INTERVAL_MSβ€” Overrides BRAVE_MAX_QPS with a fixed minimum interval between requests. ""
configBRAVE_OVERFLOWβ€” Behavior when the request queue is full: fallback_to_tavily (default), queue (wait), or error. fallback_to_tavily
configBRAVE_USAGE_CLEANUP_PROBABILITY
πŸ” secretBRAVE_USAGE_HASH_SECRET
configBRAVE_USAGE_LOG_MODE
configBRAVE_USAGE_RETENTION_DAYS
configBRAVE_USAGE_SAMPLE_RATE
configDATABASE_URLβ€” Connection string for the database. Node runtime now requires PostgreSQL semantics. postgresql://mcp_nexus:mcp_nexus_dev@localhost:5432/mcp_nexus?schema=public
configDEFAULT_PARAMETERS
configENABLE_QUERY_AUTHβ€” If true, enables MCP client token authentication for the /mcp endpoint. false
configENABLE_TAVILY_CREDITS_CHECK
πŸ” secretFIRECRAWL_API_KEYβ€” Optional Firecrawl API key used for supplemental source/fetch fallback. ""
configFIRECRAWL_API_URLβ€” Optional Firecrawl API base URL override. https://api.firecrawl.dev/v1
πŸ” secretGROK_API_KEY
configGROK_API_URLβ€” Optional Grok-compatible API base URL override. https://api.x.ai/v1
configGROK_COOLDOWN_MS
configGROK_EXTRA_SOURCES_DEFAULTβ€” Default extra supplemental source count for web_search. 0
configGROK_HTTP_TIMEOUT_MS
configGROK_MAX_RETRIES
configGROK_MODEL_DEFAULTβ€” Default Grok model used by web_search when caller does not override model. grok-4.2-beta
configGROK_SEARCH_ENABLEDβ€” Enables/disables Grok tool exposure (web_search, get_sources, web_fetch, web_map). false
configGROK_SEARCH_SOURCE_MODEβ€” Grok supplemental source mode: tavily_only, brave_only, combined, brave_prefer_tavily_fallback. combined
configGROK_USAGE_CLEANUP_PROBABILITY
πŸ” secretGROK_USAGE_HASH_SECRETβ€” Optional secret for keyed query hashing in Grok usage telemetry. ""
configGROK_USAGE_LOG_MODEβ€” Grok usage logging mode: none, hash, preview, full. preview
configGROK_USAGE_RETENTION_DAYS
configGROK_USAGE_SAMPLE_RATEβ€” Optional sample rate (0-1) for Grok usage telemetry. ""
configHOSTβ€” The host address for the server to listen on. 0.0.0.0
πŸ” secretKEY_ENCRYPTION_SECRETβ€” A 32-byte (256-bit) secret key used for encrypting and decrypting upstream API keys stored in the database. (generated in example)
configMCP_COOLDOWN_MSβ€” Cooldown period in milliseconds for an upstream API key after a failure. 60000
configMCP_GLOBAL_RATE_LIMIT_PER_MINUTEβ€” Max requests per minute across all clients. 600
configMCP_MAX_RETRIESβ€” Maximum number of retries for failed upstream requests. 2
configMCP_RATE_LIMIT_PER_MINUTEβ€” Max requests per minute per client token. 60
configPORTβ€” The port for the server to listen on. 8787
configREGISTRATION_AUTOMATION_ENABLED
configREGISTRATION_COOLDOWN_MS
configREGISTRATION_MAX_RETRIES
configSEARCH_SOURCE_MODEβ€” When =combined:
configSERVER_SETTINGS_REFRESH_MS
πŸ” secretTAVILY_BRIDGE_MCP_TOKENβ€” "": "<client_token>"
configTAVILY_CREDITS_CACHE_TTL_MSβ€” Duration to cache Tavily credit information before it's considered stale. 60000
configTAVILY_CREDITS_COOLDOWN_MSβ€” Cooldown duration for a key that has fallen below the minimum credit threshold. 300000 (5m)
configTAVILY_CREDITS_MIN_REMAININGβ€” Credit threshold at which a Tavily key will be automatically put into cooldown status. 1
configTAVILY_CREDITS_REFRESH_LOCK_MSβ€” Lock duration to prevent concurrent credit refreshes for the same key. 15000
configTAVILY_CREDITS_REFRESH_MAX_RETRIES
configTAVILY_CREDITS_REFRESH_RETRY_DELAY_MS
configTAVILY_CREDITS_REFRESH_TIMEOUT_MSβ€” Timeout for the upstream Tavily credits API request. 5000
configTAVILY_CREDITS_STALE_GRACE_MS
configTAVILY_KEY_SELECTION_STRATEGY
configTAVILY_RESEARCH_ENABLED
configTAVILY_USAGE_CLEANUP_PROBABILITYβ€” The probability (0.0 to 1.0) that a cleanup of old usage logs is triggered on a new usage event. 0.001
πŸ” secretTAVILY_USAGE_HASH_SECRETβ€” Optional secret for creating a keyed HMAC-SHA256 hash of queries instead of a plain SHA256. Recommended for privacy. ""
configTAVILY_USAGE_LOG_MODEβ€” Log level for Tavily tool usage: none, hash (query hash only), preview (redacted query), or full query. preview
configTAVILY_USAGE_RETENTION_DAYSβ€” Optional retention period for usage logs. If set, old logs will be periodically cleaned up. ""
configTAVILY_USAGE_SAMPLE_RATEβ€” Optional sampling rate (0.0 to 1.0) for logging usage events. Empty string means log all events. ""
πŸ” secretTEST_AES_KEY
configVITE_ADMIN_UI_PROXY_TARGET
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance β€” verified publishers only
We have 5 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/xydong-web-mcp-nexus-1luma7)](https://m8ven.ai/mcp/xydong-web-mcp-nexus-1luma7)
commit: daa62c87a8215a20f25e78d350f53f56ee41129b
code hash: a40c34142a028eeb09ed798c35e2ab36071823d27adcc8f89434bef47ff78974
verified: 6/12/2026, 11:40:53 AM
view raw JSON β†’
mcp-nexus Β· M8ven Trust Score | M8ven