M MCPowered Scan a server
DirectoryRegistrySecurityInstallLearnBuild Scan a server

Directory

Best web search MCP servers

Web search MCP servers give agents real-time information beyond their training data. Tavily, Brave Search, Exa, and Perplexity all ship MCP servers that expose search as a Tool over JSON-RPC 2.0. Picking one comes down to API quality, latency, source provenance, and how the returned payload interacts with the model context.

Common servers worth knowing

Tavily

AI-grounded search built for agent retrieval. Returns ranked results with short extracts and source URLs as Resources. Paid API; the MCP server itself is free to install. Tier-pricing per query.

Brave Search

Privacy-respecting index from Brave's own crawl, no Google or Bing dependency. Free tier on the API up to a monthly call cap, paid above. The MCP server exposes brave_web_search and brave_local_search as Tools.

Exa

Neural search optimized for semantic intent and long-form retrieval. Returns full page contents alongside URLs, which raises the payload-size and prompt-injection surface compared to snippet-only servers.

Perplexity

Search plus answer synthesis in one call. The server returns Perplexity's own generated summary alongside citations. Useful when the agent needs a pre-digested answer; risky when source attribution gets stripped downstream.

The API-key and cost model

Most web search MCP servers wrap a paid third-party API. Install is free; invocations cost. The agent client (Claude Code, Claude Desktop, Cursor, Windsurf) reads an API key from env vars or a config file on the host, then forwards it to the underlying search provider on every search call. Three implications follow:

  • Cost scales with invocations. Install is one-time and free; every search call hits the upstream API at its per-query rate. A loose agent loop that retries searches inflates the monthly bill fast. Pin a retry ceiling on the client side or use a gateway that meters calls.
  • The key lives in plaintext on disk. Same threat model as any other MCP server holding credentials. A compromised local process reads it directly. CVE- 2025-6514 in mcp-remote showed the pre-auth RCE shape this enables.
  • Backpressure on high-frequency streams. Search payloads can be large. The SSE transport relies on client-side buffering to handle bursts; servers without rate-limit awareness can saturate the connection and stall the session.

What the trust score reads

Web search results enter the model context as authoritative text. That makes the Return Value Injection attack pattern directly applicable: a search hit containing crafted instructions can hijack the agent's next action. Four trust signals matter:

  • Source attribution in returned payloads. Does every result include a canonical URL the client can show the user? Servers that strip provenance score lower; the model loses the ability to ground citations.
  • Query-rewrite transparency. Some servers rewrite the agent's query before hitting the upstream API (synonym expansion, intent reframing). If the rewrite is opaque, the agent acts on results it did not actually request.
  • Rate-limit behavior. Honest 429 propagation back to the client beats silent retries that mask cost spikes and trigger unbounded execution loops.
  • Response-payload-injection guarding. Search hits get treated as trusted context by the LLM. A server that sanitizes payload markup before returning it (stripping HTML, neutralizing instruction-shaped strings) defends against indirect prompt injection at the source.

Related

Browse all trust-scored servers Scan a server