MoonMCP
MoonMCP is a scope-aware bug-bounty and reconnaissance MCP server exposing 54 tools, 5 resources, and 7 prompts for passive OSINT, active reconnaissance, and intrusive security testing, with structured JSON output and a built-in authorization model.
Meta / Scope Management
server_status— View server config, capabilities, and detected external CLI toolsscope_list/scope_add/scope_exclude/scope_remove— Dynamically manage authorized testing scope (exclusions always override allowlist)
Passive OSINT (no direct target contact)
enumerate_subdomains— Discover subdomains via crt.sh, HackerTarget, AnubisDB, AlienVault OTXwayback_urls— Retrieve historical URLs from the Internet Archivecve_lookup/cve_search— Look up CVEs by ID or keyword from NVD, sorted by severityhost_intel— Query Shodan (free InternetDB or full API) for open ports, hostnames, CPEs, and known CVEsip_intel— Map IPs to ASN, org, ISP, cloud providerreverse_ip— Find co-hosted domainsemail_security— Assess SPF/DMARC/DKIM/CAA posturejwt_analyze— Decode and analyze JWTs
Active — Light Recon (benign, in-scope requests)
dns_lookup— Resolve A/AAAA, MX, NS, TXT, CNAME, SOA, CAA, PTR recordshttp_probe— Structured HTTP(S) requests returning status, headers, timing, redirect chain, page titletls_inspect— Inspect TLS certificates, validity, SANsanalyze_headers— Audit HTTP security headers with A–F gradefingerprint— Detect web server, CDN, language, framework, CMS, JS librarieswell_known— Fetch and parse robots.txt, sitemap.xml, security.txt, humans.txt
Active — Web App Checks (in-scope, structured findings)
crawl— Depth-1 crawl for links, forms, JS assetsextract_secrets— Scan pages and JS for exposed secretscors_audit— Audit CORS misconfigurationsgraphql_check— Discover GraphQL endpoints and test introspectionwaf_detect/waf_efficacy— Detect and test WAF/CDN efficacytakeover_check— Test subdomain takeoveropen_redirect— Test open redirectsvcs_exposure— Confirm .git/.svn/.env exposurescreenshot— Take screenshots via Playwrightanalyze_binary/analyze_config— Analyze binaries and config files for secrets/misconfigsfavicon_hash/tls_fingerprint/jarm_fingerprint— Fingerprinting and pivotingorigin_discovery— Discover real origin IP behind CDNbehavior_probe— Behavioral profiling (soft 404s, stack traces, etc.)desync_probe— Detect request-smuggling indicators
Active — Intrusive (gated by MOONMCP_ALLOW_INTRUSIVE)
port_scan— TCP connect-scan with optional banner grabbingcontent_discovery— Probe for sensitive paths using built-in or custom wordlistshttp_methods— Enumerate allowed HTTP methodsvuln_scan— Run nuclei template-based vulnerability scans
Orchestration & External Tools
recon_target— One-shot passive+light recon sweep chaining subdomains → DNS → TLS → HTTP → headers → fingerprintreport— Generate a severity-ranked Markdown reportadd_finding/list_findings/clear_findings— Manage findings session storeexternal_tools— List detected external security CLIsrun_scanner— Execute external CLIs (subfinder, httpx, nuclei, nmap, ffuf, etc.) with scope-checked targets and auto-parsed output
Knowledge Base
injection_info/injection_search/match_injection_signatures— 29 injection classes with payloads, signatures, and response matchingtechnique_info/technique_search— 115 exploitation techniques with references
Resources: Access scope, capabilities, findings, full injection catalog, and technique catalog via MCP resource URIs.
Operator Prompts: Pre-built system prompts for AI agents — bug_bounty_operator, deep_recon, injection_hunt, technique_advisor, triage_and_report, safe_recon, recon_methodology.
Provides access to historical URLs from the Internet Archive for passive reconnaissance.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MoonMCPperform a full recon sweep on example.com"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
🌙 MoonMCP
A scope-aware bug-bounty & reconnaissance MCP server that works out of the box on the Python standard library — and augments itself with your favourite CLI tools when they're present.
MoonMCP exposes a curated set of reconnaissance, fingerprinting and OSINT capabilities to any Model Context Protocol client (Claude Desktop, Claude Code, Cursor, …), so an AI agent can map a target's attack surface safely and within an authorised scope.
⚖️ Authorised testing only. MoonMCP is for security research on assets you own or are explicitly permitted to test (e.g. a bug-bounty program's in-scope targets). You are responsible for staying within scope and the law.
Why another recon MCP server?
Before writing a line of code, we surveyed the ecosystem: a fan-out research pass
discovered 161 candidate projects and deep-read 23 confirmed bug-bounty /
offensive-security MCP servers (ProjectDiscovery's pd-tools-mcp, HexStrike AI,
ExternalAttacker-MCP, gokulapap/bugbounty-mcp-server,
SlanyCukr/bugbounty-mcp-server, VulneraMCP, akinabudu/bug-bounty-mcp,
cyproxio/mcp-for-security, several pentest-mcp variants, BurpMCP, and the
HackerOne-platform integrations, among others). The full survey and the design
blueprint it produced are in docs/RESEARCH.md. Three patterns
stood out:
Observation across the ecosystem | MoonMCP's answer |
Almost everything is a thin CLI wrapper. They shell out to | Stdlib-first. Every core tool is implemented on the Python standard library, so MoonMCP is useful the moment it starts — no external binaries required. |
Kitchen-sink surfaces (some expose 40–50 tools) that assume a fully-loaded pentest box and offer little safety. | A focused tool surface covering the recon workflow end-to-end, each with structured JSON output, plus offline knowledge bases (injections, techniques, privilege escalation, server-side vulns, WAF). |
No authorization model. Point-and-scan primitives with no notion of "is this target in scope?" | Scope-first. Every packet-sending tool is gated by an authorization scope; intrusive scans are opt-in and rate-limited. |
MoonMCP's design principles:
🔋 Works out of the box — zero required dependencies beyond the MCP SDK.
🧩 Augments, never depends — detects and wraps
nuclei/httpx/subfinder/nmap/… when installed, degrades gracefully when not.🛡️ Scope-first & safe by default — an authorization guardrail on every active tool, rate limiting, and an intrusive-tools switch.
📦 Structured output — everything returns clean JSON, not scraped console text.
Related MCP server: Bug Bounty MCP Server
Tool surface
MoonMCP exposes 115 tools, 11 resources and 8 operator prompts, grouped by how much they touch the target:
🟢 Meta / scope
Tool | Purpose |
| Report config, active program, detected enhancers and external CLIs. |
| Self-describing map of all tools grouped by family, each tagged |
| Manage the authorization scope at runtime. |
| Bug-bounty program profiles. Each program carries its own scope and its own identifying header (e.g. |
| Set the engagement auth context (bearer / cookie / basic / headers) so the web tools test the authenticated surface — merged into every in-scope request only. |
| Out-of-band callback canaries to confirm blind vulns (blind SSRF/XXE/RCE/SQLi, blind XSS): point at an interactsh/Collaborator ( |
| Read the session audit trail — one record per scope decision (allow / deny / SSRF-block) and external command (also on |
🔵 Passive OSINT (never touches the target)
Tool | Purpose |
| Search the internet (keyless, via DuckDuckGo) → structured title / URL / snippet results. Passive — queries a search engine, not the target. |
| Generate ready-to-run Google/Bing dorks for a target (exposed files, login panels, config/secrets, dir listings, code leaks, SSRF params). |
| Passive subdomain enum via crt.sh, HackerTarget, AnubisDB, AlienVault OTX. |
| Historical URLs from the Internet Archive (flags interesting endpoints). |
| Query the NVD for a CVE by ID or by keyword (e.g. a product+version). |
| IP exposure via Shodan InternetDB (free) or the full Shodan API. |
| Map an IP → ASN, org, ISP, cloud/CDN provider, hosting flag, reverse DNS, geo. |
| Other domains co-hosted on the same IP (reverse-IP lookup). |
| Enumerate cloud storage buckets (S3 / GCS / Azure Blob): permutate names from a keyword and probe which exist and which are anonymously listable. |
| SPF / DMARC / DKIM / CAA posture with an A–F grade (DNS-based). |
| Decode a JWT and flag |
🟡 Active — light (benign, in-scope requests)
Tool | Purpose |
| Resolve A/AAAA + MX/NS/TXT/CNAME/SOA/CAA (via dnspython or DNS-over-HTTPS, no dep needed) and reverse PTR. |
| Structured HTTP(S) probe: status, headers, timing, redirect chain, title. |
| Certificate subject/issuer/validity + Subject Alt Names (sibling hosts). |
| Security-header audit with an A–F grade; flags leaks and risky cookies. |
| Technology detection: server, CDN/WAF, language, framework, CMS, JS libs. |
| Fetch & parse robots.txt, sitemap.xml, security.txt, humans.txt. |
🕸️ Web-app checks (light active, in-scope, structured findings)
Tool | Purpose |
| Bounded depth-1 crawl → internal links, forms+inputs, JS/asset URLs, parameters, external hosts, emails. |
| Deep-extract the hidden API surface from a page and its JavaScript (LinkFinder-style) — absolute/relative endpoints a UI crawl misses, plus source maps ( |
| Parse an OpenAPI/Swagger spec (URL or pasted) → full endpoint/param/method inventory, servers, security schemes, and flags (operations with no security). |
| Scan a page and its JavaScript for exposed keys/tokens (AWS, GitHub, Slack, Stripe, private keys, JWTs) — redacted. |
| CORS misconfig: origin reflection, |
| Replay a request as user A (auth) vs user B vs anonymous and diff the responses → broken-access-control / IDOR signal (the #1 payout class; set |
| Discover GraphQL endpoints and test whether introspection is enabled. |
| Brute a wordlist of param names → flag hidden params the app reacts to: |
| Fingerprint WAF/CDN (Cloudflare, Akamai, Imperva, AWS WAF, Sucuri, F5, …). |
| Subdomain-takeover detection over a 40+ provider fingerprint DB (S3, GH Pages, Heroku, Azure, …). |
| Inject a canary into common redirect params (url, next, returnTo, …) — Location / meta / JS. |
| Follow a URL's redirect chain hop by hop and flag offsite / |
| Confirm exposed |
| Render a page to PNG via Playwright+Chromium when installed (else a graceful note). |
| Drive a headless browser: render a JS-heavy SPA and return the post-JS text/HTML, the console log, the network requests the page made, and page errors — endpoint/secret discovery a raw fetch can't see. Uses |
| Run JavaScript in the page (the browser console) and return the result + console log — inspect the live DOM, read |
| Drive a real user flow — click / fill / type / submit / wait / eval steps — and return the resulting page state plus cookies & localStorage (login, multi-step forms, SPA navigation). |
| Download a compiled artifact (.dll/.exe/.jar/.so) → filetype (incl. .NET), strings (ASCII+UTF-16), secrets, URLs, conn-strings; optional |
| Parse a config file (.env/INI/JSON/YAML/.properties/XML/PHP) → every setting by category + flags (secrets, DEBUG, TLS-off, wildcard CORS, weak creds, conn-strings). |
| Shodan-style favicon mmh3 hash + |
| Supported TLS versions (flags weak 1.0/1.1), cipher per version, ALPN / HTTP-2. |
| JARM active TLS fingerprint (62-char; verified byte-for-byte vs Salesforce) for infra/C2 pivoting. |
| Find the real origin IP behind a CDN/WAF via cert SANs, non-proxied subdomains and MX. |
| Behavioural profile: soft/custom-404, stack-trace disclosure, Host / X-Forwarded-Host reflection, methods, timing. |
🟠 Active — intrusive (gated by MOONMCP_ALLOW_INTRUSIVE)
Tool | Purpose |
| Unprivileged TCP connect-scan ( |
| Probe for sensitive paths (admin, |
| Enumerate allowed methods + probe risky ones (TRACE/PUT/DELETE/PATCH → XST / write-enabled). |
| Test which attack categories the WAF blocks (benign canaries) + whether simple transforms bypass it. |
| Detection-only request-smuggling indicators (CL+TE / obfuscated TE); complete-message probes, never poisons a connection. |
| Run a |
🧰 Interception (Burp-style, native — no external proxy)
Tool | Purpose |
| Repeater — send one fully-controlled request (structured or a |
| Intruder — a request |
| One benign GET → all passive analysers at once (header grade + issues, tech fingerprint, redacted secret hits). |
| Prove a lead before reporting it: baseline vs test request → weighs reflection, status/length/timing diff, injection signatures, and an out-of-band callback (OAST) into a verdict ( |
| SSTI detector — arithmetic markers per engine (Jinja2/Twig, Freemarker, ERB, Smarty, Velocity, Razor); reports which engine evaluated the expression. Intrusive. |
| SQLi detector — single-quote error signatures + a benign boolean pair (no data extraction). Reports the DBMS. Intrusive. |
| Blind SSRF detector — plants an OAST canary in a param and checks for a callback (start |
| Web cache poisoning detector — unkeyed-header reflection ( |
| Review / fetch / clear the session's request-response history (what repeater/intruder/passive_scan sent). |
🏗️ Behavioural infrastructure (infer the infra from response variance)
Tool | Purpose |
| Infer the backend fleet behind a load balancer: clusters N responses by their discriminators (Server, Via, backend-id headers, cookie names) → distinct backends, patch drift (nodes on different Server versions — one may be individually vulnerable) and clock skew. |
| DNS/zone behaviour: wildcard-DNS detection (so subdomain enum isn't fooled), DNS load-balancing (rotating A records), IPv6, and the CNAME target (dangling → takeover surface). |
| Host-header routing: does the edge validate the Host or serve the same app for any host (cache/reset poisoning surface)? Is a bogus host reflected (host-header injection) directly or via |
| Rate-limit behaviour: finds the throttle threshold/window, |
| TLS routing behaviour: real-host vs bogus-SNI cert diff (→ SNI routing / shared hosting / default-cert origin hint), supported versions (flags weak TLS 1.0/1.1), cipher, HTTP/2. |
| Edge topology: which CDN/WAF/cache vendors front the origin (Cloudflare/CloudFront/Fastly/Akamai/Sucuri/Imperva…), the |
| Raw HTTP/1.x fingerprint (intrusive): reactions to HTTP/1.0, an unknown method, an oversized header, and bare-LF line endings → lenient parsing / proxy-origin mismatch (desync surface). Detection-only. |
🔗 Orchestration & reporting
Tool | Purpose |
| Probe a list of hosts/URLs in parallel (liveness, status, title, tech) — the enum→probe step; feed it |
| One-shot passive+light sweep (subdomains → DNS → TLS → HTTP → headers → fingerprint → email security). |
| Full safe sweep → a severity-ranked Markdown report (surface, posture grades, findings). |
| Record / read / clear findings in the session store (also on the |
| Dedupe + prioritise findings before reporting: collapse exact duplicates, rank by severity × frequency, and surface systemic issues (same finding across many targets). Dry-run or |
| Compute a CVSS 3.1 base score + severity band from a vector or individual metrics — so a confirmed finding carries a defensible standard severity. Offline. |
| Export findings as SARIF 2.1.0 (GitHub code-scanning / DAST pipelines) or JSON. |
| "Graphify" the session into an Obsidian vault — linked notes (asset ↔ finding, vuln ↔ root cause) + tags + an Obsidian Canvas graph. Open the folder and use the graph view. |
| Track how the attack surface changes over time — baseline a set (subdomains/endpoints/…) and surface only what's new since last run (persists via |
🧠 Shared memory hub (persistent, cross-agent)
Tool | Purpose |
| Store an item in a shared, persistent knowledge store (SQLite; persists via |
| Full-text search (bm25 via SQLite FTS5, LIKE fallback) over the hub; filter by |
| Fetch one item; summarise the hub (counts by kind/trust). |
🛠️ External tools
Tool | Purpose |
| List known security CLIs (36, categorised) and whether each is installed + its native fallback. |
| Run an installed CLI ( |
📚 Knowledge bases
Referenced catalogs built into the server (offline, searchable as tools + MCP resources) — descriptions, detection guidance and links to public research, not weaponized exploit code:
Injections — 29 classes (255 detection payloads · 318 response signatures).
docs/INJECTIONS.mdExploitation techniques & notable PoCs — 115 techniques across 14 categories, from assembler-level memory corruption to the highest-level web / supply-chain.
docs/TECHNIQUES.mdPrivilege escalation — 129 techniques (Linux · Windows · container · cloud · Active Directory · macOS) + 68 tools.
docs/PRIVESC.mdServer-side vulnerabilities — 44 classes (popular and obscure), each mapped to its root cause and the concrete point where apps break, + 29 tools.
docs/SERVER_SIDE_VULNS.mdRoot-cause taxonomy — the 13 fundamental causes from which nearly all server-side bugs spring, each with its systemic fix. Where the core of all problems is.
docs/ROOT_CAUSES.mdWAF reference — 24 entries: how WAFs work, vendor fingerprints, and conceptual/defensive bypass classes.
docs/WAF.md
Tool | Purpose |
| Look up / search one of 29 injection classes (sqli, nosqli, xss, ssti, cmdi, xxe, xpath, ldapi, ssrf, crlf, prototype-pollution, prompt-injection, …): detection payloads, root causes, per-engine signatures. |
| Scan a response body for known injection error signatures → which class + technology (e.g. |
| 115 exploitation techniques & landmark public PoCs across all languages/levels — descriptions + links, not exploit code. |
| 129 privilege-escalation techniques across Linux/Windows/container/cloud/AD/macOS: enumeration commands, detection indicators, mitigations, references. |
| Catalog of 68 privesc tools (LinPEAS/WinPEAS, GTFOBins, LOLBAS, PowerUp, Seatbelt, pspy, potato family, BloodHound, Impacket, …). |
| Scan pasted enumeration output ( |
| 44 server-side vuln classes (popular + obscure) with root cause, |
| The root-cause taxonomy — the ~13 fundamental causes underneath all these bugs, each with why it recurs, the systemic fix, and the catalog vulns that derive from it. |
| WAF KB (how they work · fingerprints · bypass concepts); |
Resources: moonmcp://scope, moonmcp://capabilities, findings://current, injections://all, techniques://all, privesc://all, vulns://all, rootcauses://all, waf://all, audit://recent
Operator prompts (docs/SYSTEM_PROMPTS.md) — system prompts that make an agent using MoonMCP plan, pick the right tool, verify before it reports, minimise false positives and stay strictly in scope. Synthesised from real pentest-agent prompts (CAI, PentestGPT, XBOW, HexStrike), agent prompt-engineering (ReAct, Plan-and-Execute, Chain-of-Verification, Reflexion) and bug-bounty methodology (TBHM, OWASP WSTG, PortSwigger, HackerOne/Bugcrowd):
bug_bounty_operator— master engagement prompt (rules of engagement + OODA-style loop + tool map).deep_recon— exhaustive 5-phase attack-surface mapping.injection_hunt— KB-backed injection hunt with benign canaries + signature confirmation.technique_advisor— referenced technique guidance for an observed tech/CVE.triage_and_report— verify, dedupe, severity-rate and write accepted-quality reports.safe_recon— conservative, passive-first, scope-strict default.privesc_hunt— KB-backed privilege-escalation triage from an authorised foothold (enumerate →match_privesc→ verify).recon_methodology— the original quick-start recon playbook.
Quickstart
Requires Python 3.10+.
# with uv (recommended)
uv tool install --from . moonmcp # or: uvx --from . moonmcp
# or with pip
pip install .
# sanity check (prints detected capabilities, does not start the server)
moonmcp --checkAdd to an MCP client
Claude Desktop / Claude Code (claude_desktop_config.json or .mcp.json):
{
"mcpServers": {
"moonmcp": {
"command": "moonmcp",
"env": {
"MOONMCP_SCOPE": "*.example.com, 203.0.113.0/24",
"MOONMCP_ALLOW_INTRUSIVE": "0"
}
}
}
}See examples/claude_desktop_config.json for a fuller example.
Then, in the client: "Using MoonMCP, run recon on example.com" — the agent will
call scope_add, then the passive/light tools, and summarise the attack surface.
Use it from a shell-based agent (no MCP client needed)
Any agent with a shell (or a CI step) can drive MoonMCP without an MCP client:
moonmcp tools # list exposed tools
moonmcp call fingerprint --arg target=https://example.com
moonmcp call injection_info --json '{"injection_class":"ssti"}'Each call prints JSON; scope-gated tools still enforce MOONMCP_SCOPE. Expose a
curated slice with a profile — MOONMCP_PROFILE=strix (knowledge + memory +
recon + findings; hides the heavy scanners/proxy), or passive / knowledge /
recon, or fine-grained MOONMCP_EXPOSE_TOOLS / MOONMCP_HIDE_TOOLS. This is how
MoonMCP plugs into a tool like Strix as a shared brain/memory/guard
(see docs/STRIX_INTEGRATION.md).
Claude Code skill
A packaged skill ships in .claude/skills/moonmcp/
that teaches an agent the MoonMCP workflow, the rules of engagement, and the tool
map. Copy that folder into your ~/.claude/skills/ (or a project's .claude/skills/)
and the agent will orient itself with server_status + tool_catalog and drive
the tools in the right order — scope/program first, passive → light → intrusive
(with consent) → report.
A second skill, strix-orchestration, teaches an agent to drive MoonMCP
(fast, scope-first detection) together with Strix
(autonomous validation with working PoCs) as two MCP tools of the same agent
— MoonMCP finds, Strix confirms. See docs/STRIX_INTEGRATION.md
and the scope-gated reference wrapper in examples/strix_mcp/.
Configuration
All configuration is via environment variables (set them in your MCP client's env block):
Variable | Default | Description |
| (empty) | Comma/newline-separated in-scope entries: domains, |
| (empty) | Out-of-scope entries that always override the allowlist. |
|
| When on, active tools refuse targets not in scope. |
|
| SSRF guard: hard-block private/loopback/link-local/reserved IPs (incl. cloud metadata). Set |
|
| Gate for |
|
| Max outbound requests/sec (token bucket; |
|
| Max concurrent outbound connections. |
|
| Default request timeout (seconds). |
|
| User-Agent for HTTP probing. |
|
| Allow shelling out to installed CLIs. |
|
| Hard ceiling on any external CLI run (seconds). |
| (temp dir) | Where the |
| (none) | Enables the full Shodan API (else free InternetDB). |
| (none) | Raises the NVD CVE-lookup rate limit. |
The scope model
Scope is MoonMCP's core safety guardrail. Entries are matched like a bug-bounty program:
Entry | Matches |
| the apex and every subdomain |
| subdomains only (not the apex) |
| that exact host (and deeper labels under it) |
| a single IP |
| a CIDR range (IPv4 or IPv6) |
Exclusions always win over inclusions, so scope_add example.com +
scope_exclude admin.example.com authorises everything under example.com except
admin.example.com. When enforcement is on and the scope is empty, active tools
refuse to run until you authorise a target — a deliberate "fail closed" default.
Passive OSINT tools also scope-check the apex, so MoonMCP only enumerates assets you've declared authorised.
Defence in depth. Beyond the allowlist, MoonMCP:
Blocks private/reserved IPs (RFC1918, loopback, link-local incl. the
169.254.169.254cloud-metadata endpoint) by default — an SSRF guard no active tool can bypass, even if a broad CIDR was added. FlipMOONMCP_BLOCK_PRIVATE=0for authorised internal engagements.Re-checks redirects — the HTTP client refuses to follow a
Locationthat leaves the scope, and reports it asredirect_blockedinstead.Scope-checks external-CLI targets —
run_scannerextracts and validates the host/URL from its args, not just the optionaltargetfield.
Program profiles (one header per program)
Bug-bounty programs each want their own identifying header on your traffic so their WAF/SOC recognises authorised testing. A program profile bundles that with the program's scope:
program_add(name="acme", scope="*.acme.com, api.acme.io",
exclude="blog.acme.com",
header="X-HackerOne-Research: yourhandle",
user_agent="acme-recon/1.0") # activates by default
program_use(name="acme") # switch engagements laterActivating a program swaps in its scope and auto-attaches its header +
User-Agent to every in-scope request (through the same merge path as
auth_set, so it never leaks to out-of-scope hosts). Profiles persist to
MOONMCP_STATE_DIR, so a restart resumes the same engagement. Engagement
credentials from auth_set still layer on top and win on a key collision.
How a tool call is processed
Every packet-sending tool wears one decorator — @active_tool — that is the
single place scope lives, so behaviour is uniform and safe:
Normalise the target — a URL,
host:port, bracketed IPv6 or bare host is reduced to a canonical host.Classify & gate — the tool declares its class via the decorator: passive OSINT (third-party datasets, e.g.
ip_intel,cve_search) runs without touching the target; light active (@active_tool(), e.g.http_probe,favicon_hash) and intrusive (@active_tool(intrusive=True), e.g.port_scan,waf_efficacy) route through_require_scope, which fails closed if the host isn't in scope, is a blocked private IP, or — for intrusive tools —MOONMCP_ALLOW_INTRUSIVEis off. A CI guard test asserts every packet-sending tool carries the gate, so an un-gated capability can't ship.Rate-limit — all outbound traffic passes one shared token-bucket + concurrency
Governor, so a fan-out never exceedsMOONMCP_RATE_LIMIT.Execute on the async stdlib layer (blocking calls wrapped in
asyncio.to_thread), preferring an installed CLI when present and detected.Structure the result — dataclasses are converted to clean JSON; the HTTP client caps body size and re-checks redirects against scope.
Contain failures — the
@active_toolgate (and the@safe_toolwrapper it applies) turns scope/validation errors into structured{"error": …}objects instead of exceptions, so one bad input never crashes the session.
Augmenting with external CLIs
MoonMCP has native, stdlib implementations for the whole recon workflow, but it
gets sharper when best-in-class tools are on PATH — on Kali most already
are. It auto-detects and can run 36 tools, grouped by category:
Category | Tools |
subdomain |
|
dns |
|
http |
|
crawl / url |
|
content 🔸 |
|
port 🔸 |
|
vuln / cms 🔸 |
|
tls |
|
decompile |
|
🔸 = intrusive — run_scanner gates these behind MOONMCP_ALLOW_INTRUSIVE
(on top of the scope check), exactly like the native intrusive tools. If a tool
is missing, MoonMCP returns a clear note and the native fallback to use
instead — nothing errors out. Call external_tools for the live, categorised
inventory (installed + install hints).
Note: the ProjectDiscovery
httpxbinary and the Pythonhttpxlibrary share a name. MoonMCP detects and ignores the Python shim so it won't be mistaken for the scanner.
Architecture
moonmcp/
├── server.py # FastMCP server: 101 tools, 11 resources, 8 prompts (@active_tool = the one scope gate)
├── catalog.py # self-describing tool map (tool_catalog): families + gate flags + workflow
├── confirm.py # finding-confirmation scoring (differential + OAST + signatures)
├── cvss.py # CVSS 3.1 base-score calculator
├── web/probes.py # active detectors: SSTI / SQLi / SSRF / cache poisoning
├── recon/infra.py # behavioural infra analysers (backend fleet, DNS, vhost, rate-limit)
├── intel/oast_server.py # built-in OAST callback catcher (self-host)
├── memory.py # shared persistent memory hub (SQLite + FTS5, trust/provenance tags)
├── intercept.py # Burp-style repeater / intruder / passive scan + request-response history
├── programs.py # bug-bounty engagement profiles (per-program scope + header + UA)
├── prompts.py # operator system prompts (see docs/SYSTEM_PROMPTS.md)
├── scope.py # ScopeManager — the authorization guardrail
├── config.py # env-driven Settings
├── context.py # shared Settings + Scope + rate Governor + HttpClient + Programs
├── net/ # stdlib networking (async via asyncio.to_thread)
│ ├── http.py # urllib-based HTTP client w/ redirect tracing + rate limit
│ ├── dns.py # getaddrinfo + DNS-over-HTTPS (+ optional dnspython)
│ ├── tls.py # ssl-based cert inspection + TLS version/cipher/ALPN profile
│ ├── jarm.py # JARM active TLS fingerprint (verified vs salesforce/jarm)
│ ├── ports.py # asyncio TCP connect-scan
│ └── ratelimit.py # token-bucket + concurrency governor
├── recon/ # subdomains, fingerprint, headers, wayback, content, crawl, secrets, binary, favicon, origin, config_audit
├── web/ # cors, graphql, waf(+efficacy), jwt, methods, takeover, redirect, exposure, screenshot, behavior
├── intel/ # cve (NVD), shodan, email (SPF/DMARC/DKIM/CAA), asn (ASN/cloud/reverse-IP)
├── reporting.py # pure Markdown report renderer
├── findings.py # session findings store (findings:// resource)
├── knowledge/ # injection KB + techniques/PoC catalog (injections:// / techniques:// resources)
└── external/ # optional CLI detection + safe invocationEverything is async and shares one rate limiter, so recon traffic stays polite.
Blocking stdlib calls are wrapped with asyncio.to_thread; port scanning uses
native asyncio streams.
Development
uv venv && source .venv/bin/activate
uv pip install -e ".[dev,enhanced]"
pytest -q # 190+ tests: scope logic, the @active_tool gate, program profiles, parsers, web-app checks, local-server integration
ruff check .Tests are fully offline — network-dependent parsers are covered with fixtures, and
the HTTP/port/content tools are exercised against a local http.server.
Ethics & legal
MoonMCP is a defensive/authorised-research tool. Only use it against systems you own or have explicit written permission to test (e.g. an in-scope bug-bounty target). Respect program rules, rate limits and the law. The authors accept no liability for misuse.
License
MIT — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Moonwuk/MoonMcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server