Classify a vulnerability by type, severity, and OWASP category.

Args: description: Description of the vulnerability. affected_component: Component or service affected. has_exploit: Whether a known exploit exists. network_accessible: Whether the vuln is network-accessible. auth_required: Whether authentication is required to exploit.

Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool for security assessment, threat detection, or vulnerability analysis. Suitable for automated security scanning and risk evaluation.

When NOT to use: Do not rely solely on this tool for production security decisions. Always combine with manual security review. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process.

Look up CVE details from the vulnerability database.

Args: cve_id: Specific CVE identifier (e.g. CVE-2024-3094). product: Product name to search for. severity: Filter by severity (critical|high|medium|low).

Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool for security assessment, threat detection, or vulnerability analysis. Suitable for automated security scanning and risk evaluation.

When NOT to use: Do not rely solely on this tool for production security decisions. Always combine with manual security review. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process.

Analyze HTTP security headers against best practices.

Args: headers: Dict of HTTP response headers. Example: {"Strict-Transport-Security": "max-age=31536000"}.

Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool for security assessment, threat detection, or vulnerability analysis. Suitable for automated security scanning and risk evaluation.

When NOT to use: Do not rely solely on this tool for production security decisions. Always combine with manual security review.

Analyze password strength and provide improvement suggestions.

Args: password: The password to analyze (processed locally, never stored or transmitted).

Behavior: This tool is read-only and stateless — it produces analysis output without modifying any external systems, databases, or files. Safe to call repeatedly with identical inputs (idempotent). Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool for security assessment, threat detection, or vulnerability analysis. Suitable for automated security scanning and risk evaluation.

When NOT to use: Do not rely solely on this tool for production security decisions. Always combine with manual security review. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process.

Generate a STRIDE-based threat model for a system.

Args: system_name: Name of the system being modeled. components: System components (e.g. web_app, api_server, database, cache). data_types: Types of data processed (e.g. pii, financial, health, credentials). external_interfaces: External integrations (e.g. payment_gateway, email_service). authentication_method: password | mfa | sso | api_key | oauth. deployment: cloud | on_premise | hybrid | serverless.

Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool for security assessment, threat detection, or vulnerability analysis. Suitable for automated security scanning and risk evaluation.

When NOT to use: Do not rely solely on this tool for production security decisions. Always combine with manual security review. Behavioral Transparency: - Side Effects: This tool is read-only and produces no side effects. It does not modify any external state, databases, or files. All output is computed in-memory and returned directly to the caller. - Authentication: No authentication required for basic usage. Pro/Enterprise tiers require a valid MEOK API key passed via the MEOK_API_KEY environment variable. - Rate Limits: Free tier: 10 calls/day. Pro tier: unlimited. Rate limit headers are included in responses (X-RateLimit-Remaining, X-RateLimit-Reset). - Error Handling: Returns structured error objects with 'error' key on failure. Never raises unhandled exceptions. Invalid inputs return descriptive validation errors. - Idempotency: Fully idempotent — calling with the same inputs always produces the same output. Safe to retry on timeout or transient failure. - Data Privacy: No input data is stored, logged, or transmitted to external services. All processing happens locally within the MCP server process.