Enrichment MCP Server

lookup-observable

Analyze security observables like IPs, domains, URLs, or emails by routing them to appropriate enrichment services such as VirusTotal or Shodan for threat intelligence.

Instructions

A generic tool which takes any observable and passes it the correct tool.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`value`	Yes

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

server.py:55-62 (handler)
The main handler function for the 'lookup-observable' tool. It lazily initializes a security_cli Action and calls its enrich method on the input value (observable).
```
async def lookup(value: str) -> str:
    from security_cli.action import Action

    if not enrichmentmcp:
        enrichmentmcp = Action()

    return enrichmentmcp.enrich(value)
```

server.py:65-69 (registration)

Registers the 'lookup' function as the MCP tool named 'lookup-observable' with a description.

mcp.add_tool(
    lookup,
    name="lookup-observable",
    description="A generic tool which takes any observable and passes it the correct tool.",
)

server.py:38-51 (registration)

Registers a prompt named 'lookup-observable' with argument schema for 'observable' and a default prompt generator function.

mcp.add_prompt(
    Prompt(
        name="lookup-observable",
        description="A simple security prompt for observable lookup",
        arguments=[
            PromptArgument(
                name="observable",
                description="A observable to enrich",
                required=True,
            )
        ],
        fn=get_default_prompt
    )
)

server.py:23-34 (helper)

Helper function that generates a default prompt for observable enrichment analysis, used by the registered prompt.

def get_default_prompt(observable: str) -> str:
    return f"""
As a security analyst, detection engineer and network security engineer you are responsible for making a risk level determination of one or more provided observables.

Using your knowledge from these diverse fields, networking constructs, detection (security) reasoning, and responses from third-party enrichment services.

Carefully consider the output from these services along with historical knowledge both internal and external from an organization to make a determination of the risk of a provided
observable. Make a determination based on all these factors on whether the observable is benign, suspicious, malicious, unknown. If unknown provide suggestions for other relative context
that may be needed in order to make the determination.

Your objective is to assist with the threat determination of a given observable. The observable is {observable}
"""

Tool Definition Quality

D1.6/5.0

Behavior1/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden of behavioral disclosure. It fails to describe any traits—such as whether it's read-only, destructive, requires authentication, or has rate limits—and does not explain what 'passes it' means in terms of output or side effects.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single sentence, which is appropriately concise, but it is not front-loaded with critical information. It wastes space on vague phrasing like 'generic tool' without adding value, though it avoids excessive verbosity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (with an output schema but no annotations and 0% schema coverage), the description is incomplete. It does not clarify the tool's purpose, parameters, or behavior, failing to compensate for the lack of structured data, though the output schema might help mitigate some gaps.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters1/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, and the description does not add any meaning beyond the schema. It does not explain what 'value' represents (e.g., what an 'observable' is), its format, or constraints, leaving the single parameter undocumented and unclear.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose2/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description states 'takes any observable and passes it the correct tool,' which is tautological—it restates the tool's name 'lookup-observable' without specifying what an 'observable' is or what 'passes it' entails. It lacks a clear verb+resource combination, making the purpose vague and minimally informative.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines1/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

There is no guidance on when to use this tool, such as context, prerequisites, or alternatives. The description is generic and does not provide any usage instructions, leaving the agent with no direction on its application.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

lookup-observableD

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/MSAdministrator/enrichment-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server