grade C

10 days ago

glama

mcp-nexus

A multi-provider MCP server that acts as a unified bridge for Tavily, Brave Search, and GrokSearch APIs. It features a comprehensive Admin UI for managing API key rotation, client authentication, and real-time usage monitoring across all search providers.

→ xydong-web/mcp-nexus · listed on glama

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

🚨

Known vulnerabilities in dependencies: 1 critical

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

🔐

You'll be asked for 10 credentials: ADMIN_API_TOKEN, BRAVE_API_KEY, BRAVE_USAGE_HASH_SECRET, FIRECRAWL_API_KEY, GROK_API_KEY, GROK_USAGE_HASH_SECRET, KEY_ENCRYPTION_SECRET, TAVILY_BRIDGE_MCP_TOKEN, TAVILY_USAGE_HASH_SECRET, TEST_AES_KEY

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

🔐 secretADMIN_API_TOKEN— Edit .env to set your and other configurations

configADMIN_KEYS_EXPORT_RATE_LIMIT_PER_MINUTE

configADMIN_KEYS_IMPORT_RATE_LIMIT_PER_MINUTE

configADMIN_KEY_REVEAL_RATE_LIMIT_PER_MINUTE— Max key reveal attempts per minute in the Admin UI. 20

configADMIN_REGISTRATION_IMPORT_RATE_LIMIT_PER_MINUTE

configADMIN_REGISTRATION_RUN_RATE_LIMIT_PER_MINUTE

🔐 secretBRAVE_API_KEY— A Brave Search API key. If set, this single key will be used. For multi-key support, add keys via the Admin UI. ""

configBRAVE_HTTP_TIMEOUT_MS— Per-request HTTP timeout for the Brave API. 20000

configBRAVE_MAX_QPS— Max requests per second to the Brave API to stay within rate limits. 1

configBRAVE_MAX_QUEUE_MS— Max time a request can wait in the queue before failing or falling back to Tavily. 30000

configBRAVE_MIN_INTERVAL_MS— Overrides BRAVE_MAX_QPS with a fixed minimum interval between requests. ""

configBRAVE_OVERFLOW— Behavior when the request queue is full: fallback_to_tavily (default), queue (wait), or error. fallback_to_tavily

configBRAVE_USAGE_CLEANUP_PROBABILITY

🔐 secretBRAVE_USAGE_HASH_SECRET

configBRAVE_USAGE_LOG_MODE

configBRAVE_USAGE_RETENTION_DAYS

configBRAVE_USAGE_SAMPLE_RATE

configDATABASE_URL— Connection string for the database. Node runtime now requires PostgreSQL semantics. postgresql://mcp_nexus:mcp_nexus_dev@localhost:5432/mcp_nexus?schema=public

configDEFAULT_PARAMETERS

configENABLE_QUERY_AUTH— If true, enables MCP client token authentication for the /mcp endpoint. false

configENABLE_TAVILY_CREDITS_CHECK

🔐 secretFIRECRAWL_API_KEY— Optional Firecrawl API key used for supplemental source/fetch fallback. ""

configFIRECRAWL_API_URL— Optional Firecrawl API base URL override. https://api.firecrawl.dev/v1

🔐 secretGROK_API_KEY

configGROK_API_URL— Optional Grok-compatible API base URL override. https://api.x.ai/v1

configGROK_COOLDOWN_MS

configGROK_EXTRA_SOURCES_DEFAULT— Default extra supplemental source count for web_search. 0

configGROK_HTTP_TIMEOUT_MS

configGROK_MAX_RETRIES

configGROK_MODEL_DEFAULT— Default Grok model used by web_search when caller does not override model. grok-4.2-beta

configGROK_SEARCH_ENABLED— Enables/disables Grok tool exposure (web_search, get_sources, web_fetch, web_map). false

configGROK_SEARCH_SOURCE_MODE— Grok supplemental source mode: tavily_only, brave_only, combined, brave_prefer_tavily_fallback. combined

configGROK_USAGE_CLEANUP_PROBABILITY

🔐 secretGROK_USAGE_HASH_SECRET— Optional secret for keyed query hashing in Grok usage telemetry. ""

configGROK_USAGE_LOG_MODE— Grok usage logging mode: none, hash, preview, full. preview

configGROK_USAGE_RETENTION_DAYS

configGROK_USAGE_SAMPLE_RATE— Optional sample rate (0-1) for Grok usage telemetry. ""

configHOST— The host address for the server to listen on. 0.0.0.0

🔐 secretKEY_ENCRYPTION_SECRET— A 32-byte (256-bit) secret key used for encrypting and decrypting upstream API keys stored in the database. (generated in example)

configMCP_COOLDOWN_MS— Cooldown period in milliseconds for an upstream API key after a failure. 60000

configMCP_GLOBAL_RATE_LIMIT_PER_MINUTE— Max requests per minute across all clients. 600

configMCP_MAX_RETRIES— Maximum number of retries for failed upstream requests. 2

configMCP_RATE_LIMIT_PER_MINUTE— Max requests per minute per client token. 60

configPORT— The port for the server to listen on. 8787

configREGISTRATION_AUTOMATION_ENABLED

configREGISTRATION_COOLDOWN_MS

configREGISTRATION_MAX_RETRIES

configSEARCH_SOURCE_MODE— When =combined:

configSERVER_SETTINGS_REFRESH_MS

🔐 secretTAVILY_BRIDGE_MCP_TOKEN— "": "<client_token>"

configTAVILY_CREDITS_CACHE_TTL_MS— Duration to cache Tavily credit information before it's considered stale. 60000

configTAVILY_CREDITS_COOLDOWN_MS— Cooldown duration for a key that has fallen below the minimum credit threshold. 300000 (5m)

configTAVILY_CREDITS_MIN_REMAINING— Credit threshold at which a Tavily key will be automatically put into cooldown status. 1

configTAVILY_CREDITS_REFRESH_LOCK_MS— Lock duration to prevent concurrent credit refreshes for the same key. 15000

configTAVILY_CREDITS_REFRESH_MAX_RETRIES

configTAVILY_CREDITS_REFRESH_RETRY_DELAY_MS

configTAVILY_CREDITS_REFRESH_TIMEOUT_MS— Timeout for the upstream Tavily credits API request. 5000

configTAVILY_CREDITS_STALE_GRACE_MS

configTAVILY_KEY_SELECTION_STRATEGY

configTAVILY_RESEARCH_ENABLED

configTAVILY_USAGE_CLEANUP_PROBABILITY— The probability (0.0 to 1.0) that a cleanup of old usage logs is triggered on a new usage event. 0.001

🔐 secretTAVILY_USAGE_HASH_SECRET— Optional secret for creating a keyed HMAC-SHA256 hash of queries instead of a plain SHA256. Recommended for privacy. ""

configTAVILY_USAGE_LOG_MODE— Log level for Tavily tool usage: none, hash (query hash only), preview (redacted query), or full query. preview

configTAVILY_USAGE_RETENTION_DAYS— Optional retention period for usage logs. If set, old logs will be periodically cleaned up. ""

configTAVILY_USAGE_SAMPLE_RATE— Optional sampling rate (0.0 to 1.0) for logging usage events. Empty string means log all events. ""

🔐 secretTEST_AES_KEY

configVITE_ADMIN_UI_PROXY_TARGET

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/xydong-web-mcp-nexus-1luma7)](https://m8ven.ai/mcp/xydong-web-mcp-nexus-1luma7)

commit: daa62c87a8215a20f25e78d350f53f56ee41129b

code hash: a40c34142a028eeb09ed798c35e2ab36071823d27adcc8f89434bef47ff78974

verified: 4/11/2026, 2:58:31 PM

view raw JSON →