Skip to main content
Glama
WRG-11

wrg-mcp-server

by WRG-11
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

wrg-mcp-server

๐Ÿ’ก Found this useful? โญ Star the repo (helps others find it) and subscribe to weekly detection-engineering writeups at Detection Frontier.

PyPI Python CI CodeQL License: MIT MCP Registry

Give your AI agent direct access to a 60+ tool security & threat-intel stack via MCP โ€” secret scanning, sigma rule generation, ransomware lookup, OSINT, deep research, and more.

An MCP (Model Context Protocol) bridge that exposes the WinstonRedGuard AI security platform to Claude Code, Claude Desktop, Cursor, Codex, and any MCP-compatible AI agent.

Why this exists

Modern AI coding agents (Claude, Cursor, Codex) excel at code generation but cannot directly:

  • Scan a repo for leaked secrets, credentials, or PII patterns

  • Look up ransomware groups, victims, and infrastructure by name

  • Generate Sigma detection rules from observed incident data

  • Run OSINT username probes across 3000+ sites

  • Query a curated threat-intel actor corpus with MITRE ATT&CK mappings

This MCP server fills that gap. Drop it into your MCP client config and your agent gains 60+ tools spanning code security, threat intelligence, OSINT, research, and signal analysis โ€” all without leaving the agent's context.

Use cases

  • Secure-by-default coding workflows โ€” agent runs devguard_scan before every commit, catches API keys + PII patterns before they ship

  • Threat-intel queries during incident response โ€” "What's the latest LockBit infrastructure?" โ†’ agent calls ransomware_lookup + darkweb_brand_watch directly

  • Detection engineering with AI assistance โ€” ai_fingerprint_sigma_emit converts observed AI-generated code patterns into Sigma YAML rules

  • OSINT investigations โ€” maigret_search username probe across 3000+ sites; results flow back into the agent's reasoning context

  • Research automation โ€” research_motor HTTP API gives the agent persistent, queryable research jobs across domains

Quick start

pip install wrg-mcp-server                 # core: 40+ local tools
pip install "wrg-mcp-server[remote]"       # adds httpx for site_* / pulseboard_* tools

Add to your Claude Code / Claude Desktop config:

{
  "mcpServers": {
    "wrg": {
      "command": "wrg-mcp-server",
      "args": ["--transport", "stdio"],
      "env": {
        "WRG_MCP_ALLOW_MUTATIONS": "0"
      }
    }
  }
}

Restart your client. The agent now has access to mcp__wrg__* tools.

How it compares

Project

Surface

Tool count

Auth required

Best for

wrg-mcp-server

Security + threat-intel + OSINT + research

60+

Optional env per remote

Security/detection/threat-intel engineers + AI agents

github-mcp-server

GitHub API

~30

Required (PAT)

General GitHub workflow automation

Filesystem MCP

Local fs

~10

None

Generic file operations

Playwright MCP

Browser automation

~20

None

Web scraping + UI testing

Fetch MCP

HTTP fetch

~5

None

Simple URL โ†’ markdown extraction

When to reach for wrg-mcp-server

  • You're a security engineer, detection engineer, or threat-intel analyst working with AI agents

  • You want curated threat-intel + OSINT in your agent without manual tool-juggling

  • You have (or can install) the WinstonRedGuard monorepo for the full feature set

Where wrg-mcp-server loses today (honest delta)

  • Setup friction higher than generic MCP servers โ€” full feature set requires the WinstonRedGuard monorepo (private). Standalone install (no monorepo) gives ~40% of tools (OSINT + research + trading + polymarket all work without monorepo)

  • Windows-first โ€” primary dev environment is Windows 11 + WSL2; macOS/Linux supported but less battle-tested

  • Documentation density โ€” 60+ tools is a lot; in-depth per-tool docs live in source comments rather than separate pages

  • Newer than alternatives โ€” github-mcp-server, Filesystem, Playwright MCP all have larger communities and more battle-testing

Transports

wrg-mcp-server --transport stdio              # Claude Desktop / Claude Code (recommended)
wrg-mcp-server --transport streamable-http    # HTTP for remote clients
wrg-mcp-server --transport sse                # legacy HTTP (SSE)

Flags: --host 0.0.0.0 ยท --port 8080 ยท --mcp-path /mcp

Install (full options)

pip install wrg-mcp-server                 # core: MCP + local tools only
pip install "wrg-mcp-server[remote]"       # adds httpx for site_* / pulseboard_* tools
pip install "wrg-mcp-server[dev]"          # pytest + pytest-asyncio

From source (standalone repo):

git clone https://github.com/WRG-11/wrg-mcp-server.git
cd wrg-mcp-server
pip install -e ".[dev]"

Note: [threat-intel] extras were removed in v1.0.4 (PyPI rejects direct file:// deps). Sister wrg_threat_intel + ransom_radar stay in the WRG monorepo for now; will re-add this extras group once they publish to PyPI.

Tool surface

60+ tools organised across 8 categories. Detailed tables below โ€” expand a section to view.

Core monorepo introspection

Tool

What it does

connector_status

Report which remote services are configured

app_list, app_info

Query app_registry/data/registry.json

governance_run

Execute governance_check across one or all apps

release_check

Run the tools/release_check.ps1 gate

pipeline_list, pipeline_show, pipeline_run

wrg_pipeline DAG operations

pulse_check

Invoke wrg-pulse check

memory_get, memory_set, memory_list, memory_search

wrg_memory key-value access

vault_audit

wrg_vault audit ledger inspection

scheduler_task_list, scheduler_tick_dry_run

wrg_scheduler inspection

Research

Tool

What it does

research_history, research_report, research_scan, research_watch, research_scan_summary

research_motor runs and artifacts

research_motor_healthz, research_motor_scan_create, research_motor_scan_get

research_motor HTTP API v1 over localhost

Silo-app expansion (6 apps ร— 2 tools)

AI fingerprint (wrg_ai_fingerprint)

Tool

What it does

ai_fingerprint_scan

Scan a path for AI-generated code signals; supports min_score, exclude[]

ai_fingerprint_detectors

List registered detectors and their weights

ai_fingerprint_sigma_emit

Convert fingerprint scan JSON into Sigma YAML rules

DevGuard (wrg_devguard)

Tool

What it does

devguard_scan

Run policy / secrets / crypto scans on a path; empty scan_types runs combined check

devguard_baseline

List configured policy profiles (baseline + strict) and presence

Security suite (wrg_security_suite) โ€” security_suite_run is mutation-gated

Tool

What it does

security_suite_run

Run code / person / network / full scan (mutation โ€” requires WRG_MCP_ALLOW_MUTATIONS=1)

security_suite_report

Read a scan report by scan_id (read-only)

Rule lab (rule_lab)

Tool

What it does

rule_lab_test

Simulate a rule set against sample contexts

rule_lab_list

List rule files under $WRG_RULE_LAB_DIR or <repo>/.wrg/rules

Data janitor (data_janitor) โ€” data_janitor_sweep mutation-gated when dry_run=False

Tool

What it does

data_janitor_sweep

Scan or clean build artifacts (non-dry requires WRG_MCP_ALLOW_MUTATIONS=1)

data_janitor_orphans

Preview orphan / build-artifact targets (read-only)

Notifier (wrg_notifier3) โ€” notifier_send is mutation-gated

Tool

What it does

notifier_send

Dispatch a message to a configured channel (mutation โ€” requires WRG_MCP_ALLOW_MUTATIONS=1)

notifier_channels

Introspect available channel adapters (read-only)

INFO_OPS extension

Tool

What it does

info_ops_detect

Query INFO_OPS actor corpus; enrich each match with linked incidents + Sigma rules; reverse-lookup via mitre_technique filter

Example:

info_ops_detect()  # all INFO_OPS actors + Sigma + incidents
info_ops_detect(actor_id="russia_nexus_info_ops")  # specific actor
info_ops_detect(mitre_technique="T1656")  # reverse lookup

OSINT

Tool

What it does

maigret_search

Username search across 3000+ sites (Maigret)

Threat-intel (opt-in via [threat-intel] extra)

Tool

What it does

attack_surface_passive

Passive attack surface reconnaissance

ransomware_lookup

Ransomware group/victim lookup

darkweb_brand_watch

Dark web brand mention monitoring

Ransom-radar

Tool

What it does

ransom_radar_tick

Run a ransom-radar feed tick

ransom_radar_status

Check ransom-radar watchlist status

Tool

What it does

arastirma_ask

Ask a question to the Arastirma Ussu knowledge base

arastirma_doc_search

Search documents in the knowledge base

arastirma_web_search

Web search through Arastirma Ussu

arastirma_memory_search

Search memory entries

Tool

What it does

trading_analyze

Full multi-agent trading analysis for a ticker

trading_quick_signal

Fast RSI/price signal for a ticker

polymarket_event_signal

Polymarket event signal analysis

research_deep

Deep research with AI research platform

Tool

Upstream

site_health, site_get, site_post

Company site API (WRG_SITE_BASE_URL)

pulseboard_health, pulseboard_list_repos, pulseboard_add_repo, pulseboard_delete_repo, pulseboard_get_pulse

pulseboard dashboard (WRG_PULSEBOARD_BASE_URL)

Remote tools return {"ok": false, "error": "httpx not installed โ€” remote tools unavailable"} when [remote] extra is missing.

Environment

Repo discovery

Variable

Default

Purpose

WRG_REPO_ROOT

auto-detect (walk up until apps/ + CLAUDE.md)

Required when installed from wheel outside the monorepo

Mutation gate (default: off)

State-changing tools (memory_set, pipeline_run, security_suite_run, data_janitor_sweep non-dry, notifier_send) refuse to execute unless:

WRG_MCP_ALLOW_MUTATIONS=1

This prevents an MCP client from silently writing memory or launching pipelines on a read-only connection.

Remote service config

Per service (SITE / PULSEBOARD), prefix with WRG_<SERVICE>_:

Variable

Default

Purpose

*_BASE_URL

โ€”

Enables the service (unset = service disabled)

*_TOKEN

โ€”

Bearer token for Authorization header

*_AUTH_HEADER

Authorization

Override header name

*_AUTH_SCHEME

Bearer

Override token scheme

*_SESSION_COOKIE

โ€”

Optional Cookie header

*_EXTRA_HEADERS

โ€”

JSON object of extra headers

*_TIMEOUT_SECONDS

WRG_HTTP_TIMEOUT_SECONDS (20.0)

Per-request timeout

*_VERIFY_TLS

WRG_HTTP_VERIFY_TLS (true)

TLS verification

research_motor HTTP API

Start the research_motor API separately, then point the MCP server at it:

cd apps/research_motor
pip install -e ".[api]"
set RESEARCH_MOTOR_API_KEY=replace-me
research-motor serve --host 127.0.0.1 --port 8080

Configure the MCP server environment:

set WRG_RM_API_BASE_URL=http://127.0.0.1:8080
set WRG_RM_API_KEY=replace-me

Architecture

FastMCP server
โ”œโ”€โ”€ server.py            โ€” tool registration, remote HTTP dispatch
โ”œโ”€โ”€ config.py            โ€” ServiceConfig / AppConfig from env (frozen dataclasses)
โ”œโ”€โ”€ http_utils.py        โ€” URL builder, response parser
โ”œโ”€โ”€ local_tools.py       โ€” subprocess wrappers for WRG CLIs (~20 tools)
โ””โ”€โ”€ cli.py               โ€” argparse entry point

Local tools use subprocess.run with stdin=DEVNULL (not asyncio subprocess) โ€” avoids a Windows pipe-blocking deadlock under anyio. Tool dispatch is wrapped in anyio.to_thread.run_sync so the MCP event loop stays responsive.

Tests

pytest -q

Sister WRG-11 packages

Part of the WRG-11 PyPI portfolio:

  • instinct-mcp โ€” Self-learning memory for AI coding agents

  • wrg-devguard โ€” Developer-first AI safety: prompt-policy lint + secret scanning + log scanning with PII detection

  • wrg-rule-lab โ€” Local-first deterministic rule evaluation engine (zero-dep, stdlib-only)

  • ai-security-toolkit โ€” Offensive + defensive AI/LLM security tools, labs, CTF writeups, research

Built by WRG-11.

Status

Production โ€” covers every active WRG app, drives the mcp__wrg__* tools visible in connected Claude sessions.

License

MIT. See LICENSE.

This server cannot be installed

A
license - permissive license
-
quality - not tested
B
maintenance

How are these scores calculated?

Maintenance

โ€“Maintainers
โ€“Response time
โ€“Release cycle
1Releases (12mo)

Resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/WRG-11/wrg-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server