Claude Code's WebFetch converts HTML to markdown and runs it through a secondary model before it hits your context — but that pipeline wasn't designed as a security boundary. Turndown strips structural junk (scripts, CSS, nav chrome), but zero-width characters, fake LLM delimiters, base64-encoded payloads, and markdown exfiltration URLs all survive the conversion. And using a small LLM to filter adversarial content is the fox guarding the henhouse.
The problem gets worse outside Claude Code. API-level web_fetch, other coding tools, curl output, cloned repos — raw content flows into LLM context with no sanitization at all.
mcp-safe-fetch is an MCP server with three tools (safe_fetch, safe_read, safe_exec) that sanitize content deterministically before the LLM sees it. Regex + cheerio + turndown, no AI in the loop. Across 4 test sites: 93% average token reduction, zero false positives, all visible content preserved.
npx -y mcp-safe-fetch init