doc-mcp-server
by aserper
Overview
Provides LLM agents with real-time, structured access to documentation from various package managers and platforms to prevent hallucinations and ensure up-to-date information.
Installation
rtfdEnvironment Variables
- GITHUB_TOKEN
- VERIFIED_BY_PYPI
Security Notes
Critical vulnerability: The `convert_rst_to_markdown` function processes external reStructuredText (RST) content using `docutils.core.publish_parts`. Docutils is known to be unsafe for untrusted input as RST can execute arbitrary Python code, leading to Remote Code Execution (RCE) or Local File Inclusion (LFI). This poses a significant risk if the server processes a malicious PyPI README. Additionally, tools like `GitHubProvider.get_file_content` can fetch arbitrary file content from GitHub, potentially exposing sensitive data if directed by a malicious agent. The `DockerHubProvider._fetch_dockerfile` attempts to parse DockerHub descriptions for GitHub URLs to Dockerfiles, which could be abused. The `README.md` explicitly warns about 'indirect prompt injection' and 'malicious code execution.' No hardcoded secrets were found, and `GITHUB_TOKEN` is read from environment variables.
Similar Servers
mcp-server
Provides a Model Context Protocol (MCP) server for AI agents to search and retrieve curated documentation for the Strands Agents framework, facilitating AI coding assistance.
python-dependency-manager-companion-mcp-server
Provides current and accurate documentation for Python package managers (pip, conda, poetry, uv, pixi, pdm) to AI agents and IDEs.
package-registry-mcp
Enables AI assistants and agents to search various package registries (NPM, Cargo, NuGet, PyPI, Go) and retrieve up-to-date package information.
RTFD
RTFD acts as an MCP server to provide LLM coding agents with real-time documentation from various package repositories and platforms, aiming to prevent hallucinations and provide up-to-date context.