Visus — Secure Web Access for Claude

Your AI agent shouldn't have to read garbage. visus-mcp makes sure it doesn't.

When your agent fetches a webpage it reads everything — nav bars, cookie banners, tracking scripts, ads, SEO spam. Every token costs money. Some pages also embed hidden instructions designed to manipulate your agent's behaviour.

Claude handles most of it. But it still has to read all of it first. You still pay for every token.

visus-mcp is a pre-filter. It strips the noise before a single character enters Claude's context window — reducing token consumption on bloated pages by up to 70%, redacting PII before it enters conversation history, and producing a compliance-grade audit log when it finds something worth flagging.

Built as infrastructure, not a replacement for Claude's own safety training. The two layers together are stronger than either alone.

npx [email protected]

"What the web shows you, Lateos reads safely."

Why Your Agent Is Reading Too Much

A typical news article: 12,000 tokens of raw HTML. The actual article content: ~800 tokens.

You're paying for the nav bar. The footer. The cookie banner. The analytics scripts. The related articles sidebar. The ads.

visus-mcp fetches the same page and delivers:

• visus_read — article content only via Mozilla Readability (~70% token reduction on content-heavy pages)
• visus_fetch — full page with noise stripped and format-converted (JSON/XML/RSS auto-detected)
• visus_search — sanitized DuckDuckGo results, SEO spam removed before it hits context

Real example from today: fetching npmjs.com/package/visus-mcp returned 149,589 bytes raw. visus-mcp delivered 44,129 bytes to Claude. Same information. 70% fewer tokens.

And when a page is actively trying to manipulate your agent — hidden instructions, obfuscated scripts, role hijacking attempts — visus strips those too and logs them in a structured compliance report. Not because Claude can't handle them. Because your agent shouldn't have to spend tokens reading attack attempts in the first place.

How Visus Works

URL → Playwright Render → Content-Type Detection
→ Specialized Handlers (PDF/JSON/SVG) OR HTML Pipeline
→ IPI Threat Detection (7 categories) → Injection Sanitizer (43 patterns)
→ PII Redactor → Cryptographic Proof Generation
→ Token Ceiling (24k cap) → Clean Content + Proof + Threat Summary → Claude

Security Pipeline

1. Browser Rendering: Headless Chromium via Playwright fetches the page
2. Content-Type Routing: Detects MIME type and routes to specialized handlers:
   • PDF (application/pdf) — Extracts text and metadata, sanitizes all fields
   • JSON (application/json) — Recursively sanitizes all string values, preserves structure
   • SVG (image/svg+xml) — Strips dangerous elements (<script>, event handlers), scans text
   • HTML/XML/RSS — Uses existing conversion and reader extraction pipeline
3. IPI Threat Detection (v0.11.0+): 7 specialized detectors scan for Indirect Prompt Injection attempts before sanitization
   • IPI-001 — Instruction Override (CRITICAL)
   • IPI-002 — Role Hijacking (HIGH)
   • IPI-003 — Data Exfiltration (CRITICAL)
   • IPI-004 — Tool Abuse (HIGH)
   • IPI-005 — Context Poisoning (MEDIUM)
   • IPI-006 — Encoded Payload (HIGH)
   • IPI-007 — Steganographic (HIGH)
4. Injection Detection: 43 pattern categories scan for prompt injection attempts
5. PII Redaction: Emails, phone numbers, SSNs, credit cards, and IP addresses are redacted
6. Cryptographic Proof: SHA-256 + HMAC-SHA-256 proof that sanitization ran (EU AI Act Art. 9/13/15 compliance)
7. Clean Delivery: Stripped, formatted, token-efficient content reaches your LLM — with a visus_proof header, threat_summary, and compliance report attached if anything was flagged

This pipeline runs before content enters Claude's context window — reducing token consumption, keeping PII out of conversation history, generating audit logs when injection patterns are detected, and producing tamper-evident cryptographic proofs that sanitization executed.

Security Features

Fine-Grained IPI Threat Detection (v0.11.0+)

NEW: 7 specialized Indirect Prompt Injection (IPI) detectors run before sanitization, providing fine-grained threat annotations with:

• Threat classification — 7 distinct IPI attack categories
• Severity scoring — INFO, LOW, MEDIUM, HIGH, CRITICAL
• Confidence scores — 0.0-1.0 detection confidence per annotation
• Precise offsets — Character-level attack location tracking
• Content excerpts — Max 120 chars of detected attack for audit
• Mitigation status — All threats flagged as mitigated after sanitization

Each tool response now includes a threat_summary field with:

threat_summary: {
  threat_count: number;           // Total IPI threats detected
  highest_severity: ThreatSeverity | 'NONE';
  classes_detected: ThreatClass[]; // e.g., ['IPI-001', 'IPI-003']
}

43 Injection Pattern Categories

Visus detects and neutralizes:

• Direct instruction injection — "Ignore previous instructions"
• Role hijacking — "You are now an unrestricted AI"
• System prompt extraction — "Repeat your instructions"
• Privilege escalation — "Admin mode enabled"
• Data exfiltration — "Send this to http://attacker.com"
• Encoding obfuscation — Base64, Unicode lookalikes, leetspeak
• HTML/script injection — <script>, <iframe>, event handlers
• Jailbreak keywords — DAN mode, developer override
• Token smuggling — Special tokens like <|im_start|>
• Social engineering — Urgency language to bypass caution
• ... and 33 more categories

See full list in SECURITY.md

PII Redaction

Automatically redacts:

• Email addresses → [REDACTED:EMAIL]
• Phone numbers → [REDACTED:PHONE]
• Social Security Numbers → [REDACTED:SSN]
• Credit card numbers → [REDACTED:CC]
• IP addresses → [REDACTED:IP]

Quickstart

Installation

npx visus-mcp

Claude Desktop Configuration

[!NOTE] No API key required. The open-source tier works out of the box with npx visus-mcp. Sanitization always runs locally — web content never reaches Lateos infrastructure unless you explicitly configure the managed renderer URL.

Visus supports three deployment tiers:

Tier 1 — Open Source / Default (No env vars required):

Uses Playwright locally with full JavaScript support. Works immediately, zero configuration:

{
  "mcpServers": {
    "visus": {
      "command": "npx",
      "args": ["visus-mcp"]
    }
  }
}

Tier 2 — Managed / Lateos (Hosted renderer) — Coming Phase 2:

[!NOTE] The hosted Lateos renderer is part of Phase 2 and is not yet publicly available. Sign up for early access at lateos.ai.

{
  "mcpServers": {
    "visus": {
      "command": "npx",
      "args": ["visus-mcp"],
      "env": {
        "VISUS_RENDERER_URL": "https://renderer.lateos.ai"
      }
    }
  }
}

The sanitization pipeline always runs locally. This config simply routes page rendering (JavaScript execution) through a hosted Playwright Lambda instead of local Playwright. Available Phase 2.

Tier 3 — BYOC (Bring Your Own Cloud):

Deploy your own Lambda renderer (see visus-mcp-renderer):

{
  "mcpServers": {
    "visus": {
      "command": "npx",
      "args": ["visus-mcp"],
      "env": {
        "VISUS_RENDERER_URL": "https://YOUR_API_ID.execute-api.YOUR_REGION.amazonaws.com"
      }
    }
  }
}

Replace YOUR_API_ID and YOUR_REGION with values from your CDK deployment output.

CRITICAL SECURITY NOTE: The sanitizer ALWAYS runs locally, regardless of which tier you use. Rendered HTML is returned to your local visus-mcp process before Claude sees it. Web content never touches Lateos infrastructure unless you explicitly configure the managed renderer URL.

Restart Claude Desktop. Visus tools are now available to Claude.

MCP Tools

visus_fetch

Fetch and sanitize a web page with automatic format detection. Supports HTML, JSON, XML, and RSS/Atom feeds. Includes NIST AI RMF / CSF 2.0 / AI 600-1 / OWASP LLM / MITRE ATLAS / ISO/IEC 42001 aligned threat report when injection or PII is detected.

Supported Formats:

• HTML (text/html, application/xhtml+xml) - Standard web pages, returned as-is
• JSON (application/json) - API responses, formatted with 2-space indentation
• XML (application/xml, text/xml) - XML documents, converted to clean text representation
• RSS/Atom (application/rss+xml, application/atom+xml) - Feeds converted to Markdown with up to 10 items

visus_read

Extract clean article content from a web page using Mozilla Readability (reader mode). Includes NIST AI RMF / CSF 2.0 / AI 600-1 / OWASP LLM / MITRE ATLAS / ISO/IEC 42001 aligned threat report when injection or PII is detected.

Input:

{
  "url": "https://example.com/article",
  "timeout_ms": 10000    // optional
}

Output:

{
  "url": "https://example.com/article",
  "content": "This is the main article content, stripped of navigation, ads, and boilerplate...",
  "metadata": {
    "title": "Article Title",
    "author": "Jane Doe",
    "published": "2024-01-15T10:00:00Z",
    "word_count": 1250,
    "reader_mode_available": true,
    "sanitized": true,
    "injections_removed": 0,
    "pii_redacted": 1,
    "truncated": false,
    "fetched_at": "2024-01-15T10:30:00.000Z"
  }
}

visus_search

Search the web via DuckDuckGo and return sanitized results with prompt injection and PII removed. Use before visus_fetch or visus_read to safely discover and then read pages. Includes NIST AI RMF / CSF 2.0 / AI 600-1 / OWASP LLM / MITRE ATLAS / ISO/IEC 42001 aligned threat report when injection or PII is detected.

Input:

{
  "query": "TypeScript programming",
  "max_results": 5    // optional, default: 5, max: 10
}

Output:

{
  "query": "TypeScript programming",
  "result_count": 5,
  "sanitized": true,
  "results": [
    {
      "title": "TypeScript is a strongly typed programming language.",
      "url": "https://typescriptlang.org",
      "snippet": "TypeScript is a strongly typed programming language that builds on JavaScript...",
      "injections_removed": 0,
      "pii_redacted": 0
    }
  ],
  "total_injections_removed": 0
}

All search result titles and snippets are independently sanitized before reaching the LLM.

visus_fetch_structured

Extract structured data from a web page according to a schema. Includes NIST AI RMF / CSF 2.0 / AI 600-1 / OWASP LLM / MITRE ATLAS / ISO/IEC 42001 aligned threat report when injection or PII is detected.

Input:

{
  "url": "https://shop.example.com/product",
  "schema": {
    "title": "product name",
    "price": "product price",
    "description": "product description"
  },
  "timeout_ms": 10000  // optional
}

Output:

{
  "url": "https://shop.example.com/product",
  "data": {
    "title": "Awesome Product",
    "price": "$99.99",
    "description": "A great product for your needs"
  },
  "sanitization": {
    "patterns_detected": [],
    "pii_types_redacted": [],
    "content_modified": false
  },
  "metadata": {
    "title": "Product Page",
    "fetched_at": "2024-01-15T10:30:00.000Z",
    "content_length_original": 8000,
    "content_length_sanitized": 8000
  }
}

All extracted fields are individually sanitized.

visus_verify

NEW in v0.10.0: Verify a Visus-MCP sanitization proof record. Confirms that a specific request was processed by the Visus injection detection pipeline before content reached the LLM. Produces a compliance statement suitable for EU AI Act Art. 9/13 documentation and GDPR Art. 32 security evidence.

Input:

{
  "proof": {
    "request_id": "abc123...",
    "proof_hash": "9cda5595...",
    "chain_hash": "977f5566...",
    "injection_detected": false,
    "patterns_evaluated": 43,
    "patterns_triggered": 0,
    "timestamp_utc": "2026-03-28T12:00:00Z",
    "pipeline_version": "1.0.0",
    "schema_version": "1.0.0"
  },
  "signingKey": "optional-for-full-verification"
}

Output:

{
  "valid": true,
  "checks": {
    "proofHashMatch": true,
    "signatureMatch": true,
    "schemaVersionMatch": true
  },
  "complianceStatement": "VERIFIED: Request abc123 was processed by Visus-MCP sanitization pipeline v1.0.0 at 2026-03-28T12:00:00Z. Proof hash 9cda5595... recomputed and confirmed. 43 injection patterns evaluated, 0 triggered, 0 redactions applied. Sanitized content reached LLM only after this processing completed. Verified at 2026-03-28T12:30:00Z. EU AI Act Art. 9/13/15 controls confirmed active for this request.",
  "recomputedProofHash": "9cda5595...",
  "verifiedAt": "2026-03-28T12:30:00Z",
  "requestId": "abc123...",
  "issues": []
}

Use Cases:

• Regulatory audit responses (DPA, conformity assessment)
• Internal compliance verification
• Third-party security assessments
• Incident investigation and forensics

See CRYPTO-PROOF-SPEC.md for the complete technical specification.

Cryptographic Proof System

NEW in v0.10.0: Every Visus tool response now includes a visus_proof object providing tamper-evident cryptographic evidence that sanitization executed. This satisfies EU AI Act Art. 9 (Risk Management), Art. 13 (Transparency), and Art. 15 (Robustness) requirements.

What's in a Proof?

{
  "visus_proof": {
    "request_id": "0b9564ea943c3909...",
    "proof_hash": "a7cbc0e4a158dc4e...",
    "chain_hash": "977f55664549b4b2...",
    "injection_detected": false,
    "patterns_evaluated": 43,
    "patterns_triggered": 0,
    "redactions": 0,
    "sanitization_applied": false,
    "timestamp_utc": "2026-03-28T12:00:00.000Z",
    "pipeline_version": "1.0.0",
    "schema_version": "1.0.0",
    "verify_instruction": "Recompute proof_hash from disclosed fields per visus-mcp/CRYPTO-PROOF-SPEC.md"
  }
}

How It Works

1. Before sanitization: Generate unique request ID and timestamp

2. During sanitization: Run full injection detection + PII redaction pipeline

3. After sanitization: Compute cryptographic proof:

   • proof_hash = SHA-256(request_id + input_hash + output_hash + patterns + timestamp + version)
   • proof_signature = HMAC-SHA-256(proof_hash, VISUS_HMAC_SECRET) — stored in audit log only
   • chain_hash = SHA-256(previous_proof_hash + current_proof_hash) — detects deleted records

4. Verification: Anyone can verify the proof by recomputing the proof_hash from the disclosed fields

Security Properties

| Property | Mechanism | Guarantee | |----------|-----------|-----------| | Tamper evidence | SHA-256 over all fields | Any field change invalidates proof_hash | | Authenticity | HMAC-SHA-256 with secret key | Proves pipeline issued the proof | | Non-repudiation | Audit log + chain_hash | Deletion of records is detectable | | Privacy preservation | Hashes only, no raw content | Verification without data exposure |

For Regulators and Auditors

• Hash-only verification: Recompute proof_hash from disclosed fields (no key required)
• Full cryptographic verification: Verify proof_signature with VISUS_HMAC_SECRET (shared under NDA)
• Independent verification: Use the visus_verify tool or CLI verifier
• Compliance statements: Automatically generated for DPA submissions

See CRYPTO-PROOF-SPEC.md for:

• Complete technical specification
• Verification procedures
• Reference implementation test vectors
• Regulatory mapping (EU AI Act / GDPR)
• Deployer compliance checklist

Threat Reporting

When prompt injection or PII is detected, Visus automatically generates a structured threat report with two output layers:

1. TOON-Formatted Findings (Token-Efficient)

Findings are encoded using TOON format for token efficiency while preserving machine readability. Each finding includes:

• Pattern ID and category
• Severity level (CRITICAL, HIGH, MEDIUM, LOW)
• Confidence score
• Framework alignments (OWASP LLM Top 10, NIST AI 600-1, NIST AI RMF, NIST CSF 2.0, MITRE ATLAS, ISO/IEC 42001)
• Remediation status

2. Markdown Compliance Report (Human-Readable)

A formatted Markdown table renders cleanly in Claude Desktop and GitHub, showing:

• Overall severity assessment
• Findings summary by severity
• Detailed findings table with framework mappings
• PII redaction statistics
• Remediation confirmation

Framework Alignments

Every detected threat is mapped to six compliance frameworks:

• OWASP LLM Top 10 (2025): Industry-standard LLM security risks
• NIST AI 600-1: Generative AI Profile for risk management
• NIST AI RMF: AI Risk Management Framework (AI 100-1) with GOVERN, MAP, MEASURE, and MANAGE functions
• NIST CSF 2.0: Cybersecurity Framework 2.0 with IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER, and GOVERN functions
• MITRE ATLAS: Adversarial Threat Landscape for AI Systems
• ISO/IEC 42001:2023: International AI Management System standard — Annex A controls for AI system security, data quality, and responsible AI governance. Globally recognized for enterprise and regulatory procurement.

When Reports Are Generated

Threat reports are included in tool responses only when findings exist:

• ✅ Injections detected → Report included
• ✅ PII redacted → Report included
• ❌ Clean content → Report omitted (zero overhead)

Human-in-the-Loop Security

When Visus detects a CRITICAL severity threat, it pauses execution and surfaces a confirmation dialog before returning content:

⚠️ Visus blocked a CRITICAL threat on this page.

2 injection attempt(s) detected on: https://malicious.example.com

Highest severity finding: role_hijacking
(LLM01:2025 | AML.T0051.000)

Content has been sanitized. Proceed with clean version?

[ ✓ Proceed with sanitized content ]  [ ✓ Include threat report ]

Three outcomes:

• Accept → Sanitized content delivered, threat report attached if requested
• Decline → Request blocked, threat details returned for review
• No response / timeout → Sanitized content delivered (fail-safe)

Important: HITL triggers only on CRITICAL findings. HIGH/MEDIUM/LOW findings are sanitized silently with threat report attached — no interruption to workflow.

Security model: Sanitization is the security gate. HITL is UX. Content is ALWAYS sanitized before reaching the LLM, whether or not you accept the elicitation prompt.

Example Threat Report

When a HIGH severity injection is detected:

---
## 🟠 Visus Threat Report
**Generated:** 2026-03-23T14:30:00.000Z
**Source:** https://malicious.example.com
**Overall Severity:** HIGH
**Framework:** OWASP LLM Top 10 | NIST AI 600-1 | NIST AI RMF | NIST CSF 2.0 | MITRE ATLAS | ISO/IEC 42001

### Findings Summary
| Severity | Count |
|---|---|
| 🔴 CRITICAL | 0 |
| 🟠 HIGH | 1 |
| 🟡 MEDIUM | 0 |
| 🟢 LOW | 0 |

### Findings Detail
| # | Category | Severity | Conf | OWASP | AI-RMF | CSF 2.0 | MITRE | ISO |
|---|---|---|---|---|---|---|---|---|
| 1 | role_hijacking | CRITICAL | 95% | LLM01:2025 | MEASURE-2.7 | DE.CM-01 | AML.T0051.000 | A.6.1.5 |

### Remediation Status
✅ All findings sanitized. Content delivered clean.

*Report generated by Visus MCP — Security-first web access for Claude*
---

Note: PDF export for compliance artifacts is on the roadmap for a future visus_report tool.

Examples

Example 1: Public Health Page with PII Allowlist

Fetching a MedlinePlus health information page demonstrates both injection pattern detection and the domain-scoped PII allowlist feature.

Tool Call:

{
  "url": "https://medlineplus.gov/poisoning.html",
  "format": "markdown"
}

Sanitized Output (excerpt):

{
  "url": "https://medlineplus.gov/poisoning.html",
  "content": "# Poisoning\n\n**Call 1-800-222-1222** for immediate help...\n\n**Contact:** [REDACTED:EMAIL] for general inquiries...",
  "sanitization": {
    "patterns_detected": [],
    "pii_types_redacted": ["email"],
    "pii_allowlisted": [
      {
        "type": "phone",
        "value": "1-800-222-1222",
        "reason": "Trusted health authority number on medlineplus.gov (Poison Control)"
      }
    ],
    "content_modified": true
  },
  "metadata": {
    "title": "Poisoning: MedlinePlus",
    "content_length_original": 15234,
    "content_length_sanitized": 15180
  }
}

What Visus caught: Regular email addresses were redacted ([REDACTED:EMAIL]), but the Poison Control hotline number was preserved because it appears on a trusted .gov health domain. This demonstrates the PII allowlist in action — critical health resources remain accessible while general contact info is scrubbed.

Example 2: Structured Data Extraction from Documentation

Extract navigation links and headings from a documentation page.

Tool Call:

{
  "url": "https://docs.github.com/en",
  "schema": {
    "main_heading": "h1",
    "first_link": "link url",
    "first_link_text": "link text",
    "description": "paragraph text"
  }
}

Sanitized Output:

{
  "url": "https://docs.github.com/en",
  "data": {
    "main_heading": "GitHub Docs",
    "first_link": "/en/get-started",
    "first_link_text": "Get started",
    "description": "Help for wherever you are on your GitHub journey."
  },
  "sanitization": {
    "patterns_detected": [],
    "pii_types_redacted": [],
    "pii_allowlisted": [],
    "content_modified": false
  },
  "metadata": {
    "title": "GitHub Docs",
    "content_length_original": 45123,
    "content_length_sanitized": 45123
  }
}

What Visus caught: This page was clean — no injection patterns or PII detected. The structured extraction returned all requested fields with content_modified: false, indicating the sanitizer validated the content but made no changes.

Example 3: JavaScript-Heavy SPA with Playwright Rendering

Modern single-page applications require JavaScript execution. Visus uses headless Chromium via Playwright to render dynamic content before sanitization.

Tool Call:

{
  "url": "https://github.com/anthropics/anthropic-sdk-typescript",
  "format": "markdown",
  "timeout_ms": 15000
}

Sanitized Output (excerpt):

{
  "url": "https://github.com/anthropics/anthropic-sdk-typescript",
  "content": "# anthropic-sdk-typescript\n\n**Repository:** anthropics/anthropic-sdk-typescript\n\n**Description:** TypeScript SDK for Anthropic's Claude API...\n\n**Latest commit:** [REDACTED:COMMIT_HASH] by [REDACTED:EMAIL]...",
  "sanitization": {
    "patterns_detected": [],
    "pii_types_redacted": ["email"],
    "pii_allowlisted": [],
    "content_modified": true
  },
  "metadata": {
    "title": "GitHub - anthropics/anthropic-sdk-typescript",
    "content_length_original": 23456,
    "content_length_sanitized": 23401
  }
}

What Visus caught: The page rendered completely via Playwright (including React components, lazy-loaded content, and dynamic navigation). Email addresses in commit author fields were redacted. No injection patterns were detected in this legitimate repository page.

Key difference from static fetchers: Tools like curl or basic HTTP clients would return an empty <div id="root"> for SPAs. Visus renders the full JavaScript application before sanitization, ensuring you get the actual page content Claude sees.

Example 4: Reader Mode for Context-Efficient Article Reading

When you need clean article content without navigation clutter, use visus_read to extract the main text using Mozilla Readability.

Tool Call:

{
  "url": "https://en.wikipedia.org/wiki/Prompt_injection",
  "timeout_ms": 15000
}

Sanitized Output (excerpt):

{
  "url": "https://en.wikipedia.org/wiki/Prompt_injection",
  "content": "Prompt injection is a type of cyberattack that involves adding malicious instructions to a prompt for an AI system...\n\n[Main article content continues, stripped of navigation, sidebars, and Wikipedia UI elements]\n\nSee also:\n- AI safety\n- Adversarial machine learning\n- Computer security...",
  "metadata": {
    "title": "Prompt injection - Wikipedia",
    "author": null,
    "published": null,
    "word_count": 892,
    "reader_mode_available": true,
    "sanitized": true,
    "injections_removed": 0,
    "pii_redacted": 0,
    "truncated": false,
    "fetched_at": "2024-01-15T14:22:00.000Z"
  }
}

What Visus caught: Readability successfully extracted the main article content, removing Wikipedia's navigation sidebar, footer links, and UI chrome. The extracted text is ~70% smaller than the full page HTML, saving tokens while preserving all essential information. No injection patterns or PII were detected in this educational content.

Use case: Reader mode is ideal for documentation pages, news articles, blog posts, and any content-heavy page where you want the text without the surrounding UI. The word_count field helps you estimate token usage before processing.

Example 5: Safe Web Search with Injection Detection

Search the web safely using visus_search with DuckDuckGo, demonstrating how search results are sanitized before reaching the LLM.

Tool Call:

{
  "query": "AI prompt injection attacks",
  "max_results": 3
}

Sanitized Output (with detected injection):

{
  "query": "AI prompt injection attacks",
  "result_count": 3,
  "sanitized": true,
  "results": [
    {
      "title": "Prompt injection is a type of cyberattack...",
      "url": "https://en.wikipedia.org/wiki/Prompt_injection",
      "snippet": "Prompt injection is a type of cyberattack that involves adding malicious instructions to a prompt...",
      "injections_removed": 0,
      "pii_redacted": 0
    },
    {
      "title": "[REDACTED:INSTRUCTION_INJECTION] for details contact...",
      "url": "https://suspicious-seo-spam.example",
      "snippet": "[REDACTED:INSTRUCTION_INJECTION] [REDACTED:EMAIL]",
      "injections_removed": 2,
      "pii_redacted": 1
    },
    {
      "title": "AI Safety: Understanding Prompt Injection.",
      "url": "https://example.com/ai-safety",
      "snippet": "Learn how to protect your AI systems from prompt injection vulnerabilities...",
      "injections_removed": 0,
      "pii_redacted": 0
    }
  ],
  "total_injections_removed": 2
}

What Visus caught: The second search result contained both a prompt injection pattern ("Ignore previous instructions and...") and an email address. Both were detected and redacted before the result reached the LLM. The other results were clean and passed through unmodified.

Use case: Always use visus_search before fetching pages to safely discover content. Search results can contain SEO spam, malicious instructions, or PII that would compromise your AI agent.

Example 6: JSON API Response with Format Detection

Fetch JSON data from an API endpoint with automatic formatting and sanitization.

Tool Call:

{
  "url": "https://api.github.com/repos/anthropics/anthropic-sdk-typescript",
  "format": "text"
}

Sanitized Output (excerpt):

{
  "url": "https://api.github.com/repos/anthropics/anthropic-sdk-typescript",
  "content": "JSON Response:\n\n{\n  \"name\": \"anthropic-sdk-typescript\",\n  \"full_name\": \"anthropics/anthropic-sdk-typescript\",\n  \"description\": \"TypeScript library for the Anthropic API\",\n  \"stargazers_count\": 1234,\n  \"forks_count\": 89\n}",
  "sanitization": {
    "patterns_detected": [],
    "pii_types_redacted": [],
    "content_modified": false
  },
  "metadata": {
    "title": "",
    "fetched_at": "2024-01-15T16:30:00.000Z",
    "content_length_original": 3456,
    "content_length_sanitized": 3456,
    "format_detected": "json",
    "content_type": "application/json"
  }
}

What Visus caught: The Content-Type header application/json was detected, and the raw JSON was automatically formatted with 2-space indentation for readability. The sanitizer validated the content and found no injection patterns or PII (clean API response).

Format detection features:

• Automatically detects Content-Type from HTTP response headers
• JSON responses are pretty-printed with indentation
• XML/RSS feeds are converted to clean Markdown
• All formats pass through the sanitizer pipeline
• format_detected and content_type included in metadata

Example 7: RSS Feed with Automatic Markdown Conversion

Fetch an RSS feed and have it automatically converted to clean Markdown format.

Tool Call:

{
  "url": "https://blog.example.com/feed.xml"
}

Sanitized Output (excerpt):

{
  "url": "https://blog.example.com/feed.xml",
  "content": "RSS Feed:\n\n# Example Blog\nThe latest news and updates\n\n## Items\n\n### New Feature Release\n\nWe're excited to announce our latest feature update...\n\nLink: https://blog.example.com/new-feature\nPublished: Mon, 15 Jan 2024 10:00:00 GMT\n\n---\n\n### Security Best Practices\n\nLearn about the latest security recommendations...\n\nLink: https://blog.example.com/security\nPublished: Tue, 16 Jan 2024 14:30:00 GMT\n\n---",
  "sanitization": {
    "patterns_detected": [],
    "pii_types_redacted": [],
    "content_modified": false
  },
  "metadata": {
    "title": "",
    "fetched_at": "2024-01-15T16:45:00.000Z",
    "content_length_original": 5678,
    "content_length_sanitized": 5678,
    "format_detected": "rss",
    "content_type": "application/rss+xml"
  }
}

What Visus caught: The Content-Type header application/rss+xml triggered RSS feed parsing. The feed XML was converted to clean Markdown showing the channel title, description, and up to 10 feed items with titles, links, descriptions (truncated to 200 chars), and publication dates. All content was sanitized for injection patterns.

RSS/Atom support:

• RSS 2.0, RSS 1.0 (RDF), and Atom feed formats supported
• Extracts channel metadata and up to 10 items
• Converts to clean Markdown with proper formatting
• Item descriptions truncated to 200 characters for readability
• Graceful fallback to XML parsing for invalid feeds

Safe Research Loop (3-Step Workflow)

Combine all three tools for safe, context-efficient web research:

Step 1: Discover – Use visus_search to find relevant pages safely:

{
  "query": "TypeScript async patterns",
  "max_results": 5
}

Step 2: Read – Use visus_read to extract clean article content:

{
  "url": "https://blog.example.com/typescript-async-guide"
}

Step 3: Extract – Use visus_fetch_structured to pull specific data:

{
  "url": "https://docs.typescript.com/reference/async",
  "schema": {
    "syntax": "async/await syntax",
    "example": "code example",
    "best_practices": "recommended patterns"
  }
}

All three steps run content through the sanitization pipeline, ensuring end-to-end security from search to extraction.

Environment Variables

# Optional — for Lateos hosted tier features (Phase 2)
LATEOS_API_KEY=your-api-key          # Enables audit logging to Lateos cloud
LATEOS_ENDPOINT=https://api.lateos.ai

# Optional — browser config
VISUS_TIMEOUT_MS=10000   # Default fetch timeout (milliseconds)
VISUS_MAX_CONTENT_KB=512 # Max content size before truncation (kilobytes)

No API key required for open-source tier. npx visus-mcp works out of the box.

Lateos Platform

Visus is part of the Lateos platform — a security-by-design AI agent framework:

• AWS Serverless: Lambda, Step Functions, API Gateway, Cognito
• Security: Bedrock Guardrails, KMS encryption, Secrets Manager
• Validated Patterns: 43 injection patterns, 389/389 passing tests
• CISSP/CEH-Informed: Designed by security professionals

Learn more: lateos.ai (Phase 2)

Development

Prerequisites

macOS / Windows: No additional setup required.

Linux: Playwright requires the following system libraries. Install them before running npm install:

# Ubuntu / Debian
sudo apt-get install -y \
  libatk1.0-0 libatk-bridge2.0-0 libcups2 libdrm2 \
  libxkbcommon0 libxcomposite1 libxdamage1 libxfixes3 \
  libxrandr2 libgbm1 libnss3 libxss1 libasound2

# Fedora / RHEL
sudo dnf install -y atk at-spi2-atk libXrandr libgbm \
  nss alsa-lib libXss cups-libs libdrm libxkbcommon

If npm test fails with a Chromium launch error on Linux, see TROUBLESHOOT-PLAYWRIGHT.md for detailed troubleshooting steps.

# Clone repo
git clone https://github.com/visus-mcp/visus-mcp.git
cd visus-mcp

# Install dependencies
npm install

# Build
npm run build

# Run tests
npm test

# Start MCP server
npm start

Project Status

| Version | Status | Highlights | |---|---|---| | v0.11.0 | ✅ Released | IPI Threat Detection — 7 specialized detectors, threat_summary in all tools | | v0.10.0 | ✅ Released | Cryptographic Proof System (SHA-256 + HMAC, EU AI Act Art. 9/13/15) | | v0.8.1 | ✅ Released | PDF extraction bug fix | | v0.8.0 | ✅ Released | PDF/JSON/SVG content-type handlers | | v0.7.0 | ✅ Complete | HITL Elicitation Bridge for CRITICAL threats | | v0.6.0 | ✅ Released | Content-Type detection (JSON/XML/RSS) | | v0.5.0 | ✅ Released | TOON threat reports, NIST/OWASP/MITRE/ISO42001 | | v0.4.0 | ✅ Released | Safe DuckDuckGo search | | v0.3.2 | ✅ Released | Reader mode (Mozilla Readability) | | v0.3.1 | ✅ Released | Security hardening, 100% compliance | | v0.3.0 | ✅ Released | PII allowlist (health authority numbers) |

Phase 3 — Anthropic MCP Directory submission in progress.

Roadmap: visus_report PDF export · Docker image · visus-file-mcp (document sanitization) · Chrome extension for authenticated pages (LinkedIn, X, dashboards)

Security

For detailed threat model, pattern examples, and vulnerability reporting:

→ Read SECURITY.md

Report vulnerabilities: [email protected] or GitHub Security

License

MIT License

Copyright (c) 2026 Lateos (Leo Chongolnee)

Credits

Built by Leo Chongolnee (@leochong) as part of the Lateos platform.

Repository: https://github.com/visus-mcp/visus-mcp

Inspired by the MCP ecosystem and informed by CISSP/CEH security principles.

FAQ

Q: Does visus-mcp replace Claude's own safety features? A: No — and it's not trying to. Claude handles most injection attempts natively through its safety training. visus-mcp is a pre-filter that runs before content enters Claude's context window. The benefit is efficiency: your agent doesn't spend tokens processing noise, ads, tracking scripts, or known injection patterns that would be stripped anyway. Think of it as a pre-processor, not a replacement for model-level safety. The two layers together are more robust than either alone.

Q: Does Visus slow down web fetching? A: Minimal overhead. Sanitization adds ~50-200ms per page.

Q: Can attackers bypass the sanitizer? A: Novel obfuscation techniques or AI-generated benign-looking instructions may evade detection. See SECURITY.md for honest limitations.

Q: Does Visus work with authenticated pages? A: Phase 1 uses headless-only rendering. Phase 2 will add user session relay via Chrome extension.

Q: How does Visus compare to Firecrawl? A: Firecrawl is excellent for web scraping but doesn't sanitize for prompt injection. Visus focuses on security-first content delivery.

Q: Is Visus free? A: Yes! Open-source tier is free forever. Phase 2 will introduce a hosted tier with SLA guarantees for enterprise use.

EU Regulatory Compliance

Visus-MCP is designed with EU AI Act and GDPR principles as first-class architectural constraints, not afterthoughts. This section provides a mapping between Visus features and the specific regulatory articles they address, enabling integrators to build toward presumption of conformity via the EU AI Act Code of Practice and harmonised standards under CEN/CENELEC JTC 21.

Feature → Regulation Mapping

| Visus-MCP Feature | EU AI Act Article | GDPR Article | Regulatory Rationale | |---|---|---|---| | Prompt injection sanitization (43 validated patterns) | Art. 9 — Risk Management System | Art. 32 — Security of Processing | Mandatory technical measures to prevent adversarial manipulation of AI outputs | | Untrusted-by-default web content model | Art. 9 — Risk Management System | Art. 5(1)(f) — Integrity & Confidentiality | Treats all external input as hostile; maps to adversarial robustness requirement in Code of Practice Measure 2.5 | | No raw external content forwarded to LLM | Art. 15 — Robustness, Accuracy & Cybersecurity | Art. 5(1)(c) — Data Minimisation | Only sanitized, stripped content reaches the model; reduces attack surface and unnecessary data exposure | | Content sanitization before AI processing | Art. 15 — Robustness, Accuracy & Cybersecurity | Art. 25 — Data Protection by Design | Sanitization is enforced at ingestion, not as an optional post-processing step | | Stateless fetch architecture (no session persistence) | Art. 10 — Data & Data Governance | Art. 5(1)(e) — Storage Limitation | No user browsing data retained beyond the immediate request | | Open-source, auditable codebase | Art. 13 — Transparency & Provision of Information | Art. 5(2) — Accountability | Full auditability for conformity assessment bodies and data protection authorities | | SECURITY-AUDIT-v1.md (planned red team disclosure) | Art. 9 — Risk Management + Code of Practice §4 Adversarial Testing | Art. 32(1)(d) — Regular Testing | Aligns with EDPS guidance on AI risk management: document threats, test mitigations, publish findings | | MCP endpoint scoped permissions | Art. 9 — Risk Management System | Art. 25 — Data Protection by Design | Least-privilege access model; each tool call scoped to minimum required capability |

EU AI Act Code of Practice Alignment

The EU AI Act Code of Practice (General-Purpose AI, published 2025) identifies adversarial testing and mitigation documentation as key obligations for AI system providers. Visus-MCP addresses these through:

• Measure 2.5 (Adversarial Robustness): Prompt injection defense is the primary threat model. The 43-pattern detection library directly addresses adversarial input manipulation.
• Measure 4.1 (Incident Reporting Preparedness): The planned SECURITY-AUDIT-v1.md constitutes a pre-emptive disclosure document that regulators can use to assess risk management maturity.
• Measure 1.2 (Capability Transparency): The open-source architecture and this compliance mapping serve as the transparency artifact required under Art. 13.

EDPS Guidance on AI Risk Management

The European Data Protection Supervisor's Guidelines on AI and Data Protection (2022, updated 2024) require that AI systems processing content on behalf of users implement:

1. Risk identification at ingestion — Visus sanitizes at the fetch layer before any data reaches the AI model.
2. Technical measures proportionate to risk — Stateless architecture and data minimisation limit blast radius of any breach.
3. Accountability documentation — This mapping table, combined with SECURITY.md and STATUS.md, constitutes the technical documentation required under GDPR Art. 30 (Records of Processing) for AI-assisted data handling.

Presumption of Conformity Path

Integrators deploying Visus-MCP in EU contexts can reference this mapping to support conformity claims under:

• EN ISO/IEC 42001 (AI Management Systems) — risk management and data governance controls
• ETSI EN 303 645 (Cyber Security for Consumer IoT, applicable by analogy to AI agents)
• EU AI Act Annex IV (Technical Documentation) — this section, SECURITY.md, and STATUS.md together form a substantive portion of the required technical file

Note: Visus-MCP is an open-source tool. Conformity assessment obligations apply to the deploying organisation, not to the upstream open-source component. This documentation is provided to assist deployers in meeting their obligations.

Privacy Policy

Effective Date: March 28, 2026 Last Updated: March 28, 2026

What Data Does Visus Collect?

Visus is a local-first tool that runs entirely on your machine. It does not transmit data to external servers.

Data Processing:

• Web pages fetched via visus_fetch, visus_read, visus_search, and visus_fetch_structured are processed locally using Playwright
• Content is sanitized in-memory and returned to Claude Desktop via MCP protocol
• No content, URLs, or user data is logged, stored, or transmitted to external services

Structured Logging:

• Sanitization events are logged to stderr only in structured JSON format for debugging
• Logs contain detection metadata (pattern names, severity scores) but do not contain original content
• Logs remain on your local machine and are never transmitted

No Third-Party Services:

• No analytics, telemetry, or tracking
• No external API calls (except to fetch the URLs you explicitly request)
• DuckDuckGo search uses the public search API but sends no identifying information

Data Retention

Visus does not retain any data. All processing is stateless and ephemeral.

Third-Party Data Sharing

None. Visus does not share data with any third party.

Contact

For privacy questions or concerns:

• Email: [email protected]
• GitHub Issues: https://github.com/visus-mcp/visus-mcp/issues
• Security vulnerabilities: See SECURITY.md

Built with by Lateos