The Apify MCP server enables your AI agents to extract data from social media, search engines, maps, e-commerce sites, or any other website using thousands of ready-made scrapers, crawlers, and automation tools available on the Apify Store.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"apify": {
"url": "https://mcp.apify.com?payment=skyfire"
},
"skyfire": {
"url": "https://api.skyfire.xyz/mcp/sse",
"headers": {
"skyfire-api-key": "<YOUR_SKYFIRE_API_KEY>"
}
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
The Apify Model Context Protocol (MCP) server at mcp.apify.com enables your AI agents to extract data from social media, search engines, maps, e-commerce sites, and any other website using thousands of ready-made scrapers, crawlers, and automation tools from Apify Store. It supports OAuth, allowing you to connect from clients like Claude.ai or Visual Studio Code using just the URL.
This server supports HTTP transport. Be the first to test it — help the community know if it works.
Five weighted categories — click any category to see the underlying evidence.
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
### Summary The `fetch-apify-docs` tool validates URLs against a domain allowlist using `String.startsWith()` instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains (e.g., `https://docs.apify.com.evil.com/`), enabling the tool to fetch and return arbitrary web content to the LLM. ### Details #### Vulnerable component `src/tools/common/fetch_apify_docs.ts`, line 51: ```typescript const isAllowedDomain = ALLOWED_DOC_DOMAINS.some((domain) => url.startsWi
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in browser / data
Query and manage PostgreSQL databases directly from AI assistants
Browser automation with Puppeteer for web scraping and testing
Zero-dependency, token-efficient database MCP server for Postgres, MySQL, SQL Server, MariaDB, SQLite.
Manage Supabase projects — databases, auth, storage, and edge functions
MCP Security Weekly
Get CVE alerts and security updates for Apify Mcp Server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
The Apify Model Context Protocol (MCP) server at mcp.apify.com enables your AI agents to extract data from social media, search engines, maps, e-commerce sites, and any other website using thousands of ready-made scrapers, crawlers, and automation tools from Apify Store. It supports OAuth, allowing you to connect from clients like Claude.ai or Visual Studio Code using just the URL.
🚀 Use the hosted Apify MCP Server!
For the best experience, connect your AI assistant to our hosted server at
https://mcp.apify.com. The hosted server supports the latest features - including output schema inference for structured Actor results - that are not available when running locally via stdio.
⚠️ Legacy SSE transport removed. The
https://mcp.apify.com/sseendpoint has been removed in favor of Streamable HTTP. Migrate your client tohttps://mcp.apify.com— drop the/ssesuffix from your configuration.
💰 The server also supports agentic payments via x402 and Skyfire, allowing AI agents to pay for Actor runs without an API token.
Apify MCP Server is compatible with Claude Code, Claude.ai, Cursor, VS Code and any client that adheres to the Model Context Protocol.
Check out the MCP clients section for more details or visit the MCP configuration page.

The Apify MCP Server allows an AI assistant to use any Apify Actor as a tool to perform a specific task. For examp