Skip to main content
Glama

StealthMole MCP Server

Official
by StealthMole
GitHub
Python
  • Apple
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue

StealthMole MCP Server

MCP (Model Context Protocol) server for accessing StealthMole threat intelligence API. Search and monitor threats across Deep & Dark Web through Claude and other MCP clients.

Features

šŸ” Comprehensive API Coverage

  • Darkweb Tracker (DT): Search Deep & Dark web content across 50+ indicators

  • Telegram Tracker (TT): Search Telegram channels, users, and messages

  • Credential Lookout (CL): Search leaked credentials from breaches

  • Compromised Data Set (CDS): Search infected device leaks from stealer malware

  • Combo Binder (CB): Search ID/Password combo leaks

  • ULP Binder (UB): Search URL-Login-Password format leaks

  • Ransomware Monitoring (RM): Monitor ransomware group breach incidents

  • Government Monitoring (GM): Monitor threats against government sector

  • Leaked Monitoring (LM): Monitor threats against enterprise sector

  • Management API: Track API usage quotas

šŸ” Authentication

  • JWT-based authentication with HS256 signing

  • Automatic token generation and management

  • Secure session-level credential storage

Prerequisites

Installation

Development Setup

# Install dependencies uv sync # Run the server uv run dev # Test interactively uv run playground

Using with Claude Desktop

Add to your Claude Desktop configuration file:

MacOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%/Claude/claude_desktop_config.json

{ "mcpServers": { "stealthmole": { "command": "uv", "args": [ "--directory", "/absolute/path/to/stealthmole-mcp", "run", "start" ], "env": { "STEALTHMOLE_ACCESS_KEY": "your_access_key", "STEALTHMOLE_SECRET_KEY": "your_secret_key" } } } }

Replace /absolute/path/to/stealthmole-mcp with the actual path to this directory.

Available Tools

Darkweb Tracker

dt_search_targets

Get list of searchable targets for an indicator

indicator: keyword, email, domain, ip, bitcoin, etc. Returns: Available targets for the indicator

dt_search_target

Search for specific indicator and targets

indicator: Search type targets: Comma-separated target list text: Search query (supports AND, OR, NOT) limit: Results limit (max: 100) order_type: createDate or value order: asc or desc

dt_search_all

Search across all targets for an indicator

indicator: Search type text: Search query limit: Results limit (max: 100)

dt_search_by_id

Get paginated results using search ID

search_id: ID from previous search cursor: Pagination cursor limit: Results limit (max: 100)

dt_get_node_details

Get detailed information for a node

node_id: Node ID from search results parent_id: Optional parent node ID data_from: Include data source list include_url: Include URL list include_contents: Include HTML source

Telegram Tracker

tt_search_targets

Get searchable targets for Telegram indicator

indicator: keyword, telegram.channel, telegram.user, etc.

tt_search_target

Search Telegram for specific targets

indicator: Search type targets: Comma-separated target list text: Search query limit: Results limit (max: 100)

tt_get_node_details

Get detailed Telegram node information

node_id: Node ID from search results

Credential Lookout

cl_search

Search for leaked credentials

query: Search with indicators (domain:, email:, id:, password:, after:, before:) limit: Results limit (max: 50) cursor: Pagination cursor start/end: UTC timestamp filters

Example queries:

  • domain:example.com - All leaks for domain

  • email:user@example.com - Specific email leaks

  • domain:example.com AND after:2024-01 - Recent leaks

Compromised Data Set

cds_search

Search infected device leaks

query: Search with indicators (domain:, url:, email:, id:, password:, ip:, country:, after:, before:) limit: Results limit (max: 50)

cds_get_node_details

Get detailed CDS information (requires Cyber Security Edition)

node_id: Node ID from search results Returns: Stealer path, type, and full device info

Combo Binder

cb_search

Search ID/Password combo leaks

query: Search with indicators (domain:, email:, id:, password:, after:, before:) limit: Results limit (max: 50)

ULP Binder

ub_search

Search URL-Login-Password format leaks

query: Search with indicators (domain:, url:, email:, id:, password:, after:, before:) limit: Results limit (max: 50)

Monitoring APIs

rm_search - Ransomware Monitoring

Monitor ransomware group breach incidents

query: Optional (torurl:, domain:) or empty for recent limit: Results limit (max: 50) order_type: detectionTime, victim, or attackGroup

gm_search - Government Monitoring

Monitor threats against government sector

query: Optional (url:, id:) or empty for recent limit: Results limit (max: 50) order_type: detectionTime, title, or author

lm_search - Leaked Monitoring

Monitor threats against enterprise sector

query: Optional (url:, id:) or empty for recent limit: Results limit (max: 50)

Management

get_user_quotas

Get API usage quotas for current month

Returns: Allowed and used queries per service

Search Query Syntax

Indicators

Darkweb Tracker supports 50+ indicators:

Network: domain, ip, tor, torurl, i2p, i2purl, url Identity: email, id, tel, kssn Financial: bitcoin, ethereum, monero, creditcard Files: document, exefile, image, hash, blueprint Social: facebook, twitter, instagram, telegram, discord Security: cve, ioc, malware

Operators

  • AND: Both terms must be present

  • OR: Either term must be present (max 3 per query)

  • NOT: Exclude term from results

  • Max total: 5 operators per query

Examples

keyword search: "ransomware" Indicator search: email:user@example.com domain:target.com bitcoin:1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa Combined operators: domain:example.com AND email:admin ip:192.168.1.1 OR ip:10.0.0.1 domain:target.com AND NOT test Time filters: domain:example.com AND after:2024-01 email:admin AND before:2024-06-01

Resources

The server provides built-in documentation resources:

  • stealthmole://api-info - API overview and service information

  • stealthmole://indicators - Complete list of Darkweb Tracker indicators

Error Handling

Common API error codes:

  • 401 - Invalid or expired token

  • 400 - Invalid parameters (limit, cursor, etc.)

  • 404 - Resource not found

  • 422 - Bulk export required (>1M results)

  • 426 - Query limit exceeded

API Limits

  • Darkweb Tracker: Max 100 results per request

  • Other APIs: Max 50 results per request

  • Operators: Max 3 OR, max 5 total per query

  • Bulk Export: Contact support for >1M results

Development

Project Structure

stealthmole-mcp/ ā”œā”€ā”€ src/stealthmole_mcp/ ā”‚ ā”œā”€ā”€ __init__.py ā”‚ ā””ā”€ā”€ server.py # Main server implementation ā”œā”€ā”€ pyproject.toml # Project configuration ā””ā”€ā”€ README.md # This file

Running Tests

# Interactive testing uv run playground # Try example queries: dt_search_targets(indicator="keyword") cl_search(query="domain:example.com") get_user_quotas()

Deployment

Deploy to Smithery

  1. Push code to GitHub

  2. Deploy at smithery.ai/new

  3. Configure with your StealthMole credentials

Self-Hosting

Run the server directly:

# Production mode uv run start # Development mode with auto-reload uv run dev

Security Notes

āš ļø Important: Keep your API credentials secure

  • Never commit credentials to version control

  • Use environment variables or secure configuration

  • Rotate keys regularly

  • Monitor API usage for anomalies

Support

License

This MCP server implementation is provided as-is. StealthMole API access requires valid subscription and credentials.

Version

Current version: 0.1.0 (November 2024) Based on StealthMole API v2.2

This server cannot be installed

-
security - not tested
F
license - not found
-
quality - not tested

How are these scores calculated?

remote-capable server

The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.

Enables access to StealthMole's threat intelligence API for searching and monitoring threats across Deep & Dark Web, Telegram channels, leaked credentials, and ransomware incidents. Provides comprehensive cybersecurity intelligence through natural language queries.

  1. Features
    1. šŸ” Comprehensive API Coverage
    2. šŸ” Authentication
  2. Prerequisites
    1. Installation
      1. Development Setup
      2. Using with Claude Desktop
    2. Available Tools
      1. Darkweb Tracker
      2. Telegram Tracker
      3. Credential Lookout
      4. Compromised Data Set
      5. Combo Binder
      6. ULP Binder
      7. Monitoring APIs
      8. Management
    3. Search Query Syntax
      1. Indicators
      2. Operators
      3. Examples
    4. Resources
      1. Error Handling
        1. API Limits
          1. Development
            1. Project Structure
            2. Running Tests
          2. Deployment
            1. Deploy to Smithery
            2. Self-Hosting
          3. Security Notes
            1. Support
              1. License
                1. Version

                  New MCP Servers

                  MCP directory API

                  We provide all the information about MCP servers via our MCP API.

                  curl -X GET 'https://glama.ai/api/mcp/v1/servers/StealthMole/stealthmole-mcp'

                  If you have feedback or need assistance with the MCP directory API, please join our Discord server