Skip to main content
Glama
aplaceforallmystuff

MCP Threat Intel Server

by aplaceforallmystuff
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Remote

threatintel_lookup_ip

Queries an IP address against multiple threat intelligence feeds, aggregating results from OTX, AbuseIPDB, GreyNoise, and Feodo Tracker for comprehensive security analysis.

Instructions

Look up an IP address across all configured threat intelligence sources (OTX, AbuseIPDB, GreyNoise, Feodo Tracker)

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
ipYesIP address to look up

Implementation Reference

  • src/index.ts:112-125 (schema)
    Tool schema/definition for threatintel_lookup_ip: defines the tool name, description ('Look up an IP address across all configured threat intelligence sources...'), and input schema requiring an 'ip' string parameter.
    {
  name: "threatintel_lookup_ip",
  description: "Look up an IP address across all configured threat intelligence sources (OTX, AbuseIPDB, GreyNoise, Feodo Tracker)",
  inputSchema: {
    type: "object" as const,
    properties: {
      ip: {
        type: "string",
        description: "IP address to look up",
      },
    },
    required: ["ip"],
  },
},
  • src/index.ts:408-456 (handler)
    Handler implementation for threatintel_lookup_ip: extracts the 'ip' argument, then queries AbuseIPDB (for reputation), OTX (for IP indicators), and GreyNoise (for classification), collecting results into a single response.
    case "threatintel_lookup_ip": {
  const { ip } = args as { ip: string };
  const results: Record<string, unknown> = { ip };

  // AbuseIPDB
  if (services.abuseipdb) {
    try {
      const abuseResult = await apiRequest<{ data: unknown }>(
        `${config.abuseipdb.baseUrl}/check?ipAddress=${encodeURIComponent(ip)}&maxAgeInDays=90`,
        { headers: { Key: config.abuseipdb.apiKey! } }
      );
      results.abuseipdb = abuseResult.data;
    } catch (e) {
      results.abuseipdb = { error: e instanceof Error ? e.message : String(e) };
    }
  }

  // OTX
  if (services.otx) {
    try {
      const otxResult = await apiRequest<unknown>(
        `${config.otx.baseUrl}/indicators/IPv4/${ip}/general`,
        { headers: { "X-OTX-API-KEY": config.otx.apiKey! } }
      );
      results.otx = otxResult;
    } catch (e) {
      results.otx = { error: e instanceof Error ? e.message : String(e) };
    }
  }

  // GreyNoise
  if (services.greynoise) {
    try {
      const gnResult = await apiRequest<unknown>(
        `${config.greynoise.baseUrl}/community/${ip}`,
        config.greynoise.apiKey
          ? { headers: { key: config.greynoise.apiKey } }
          : {}
      );
      results.greynoise = gnResult;
    } catch (e) {
      results.greynoise = { error: e instanceof Error ? e.message : String(e) };
    }
  }

  return {
    content: [{ type: "text", text: JSON.stringify(results, null, 2) }],
  };
}
  • src/index.ts:99-168 (registration)
    Tools registration: the TOOLS array is defined starting at line 99, and threatintel_lookup_ip is included at lines 112-125. This array is returned by the ListToolsRequestSchema handler at line 377-379.
    // Define available tools
const TOOLS: Tool[] = [
  // Status tool
  {
    name: "threatintel_status",
    description: `Check which threat intelligence sources are configured. Currently available: ${configuredServices.join(", ") || "none (abuse.ch feeds work without auth)"}`,
    inputSchema: {
      type: "object" as const,
      properties: {},
      required: [],
    },
  },
  // Unified lookup
  {
    name: "threatintel_lookup_ip",
    description: "Look up an IP address across all configured threat intelligence sources (OTX, AbuseIPDB, GreyNoise, Feodo Tracker)",
    inputSchema: {
      type: "object" as const,
      properties: {
        ip: {
          type: "string",
          description: "IP address to look up",
        },
      },
      required: ["ip"],
    },
  },
  {
    name: "threatintel_lookup_domain",
    description: "Look up a domain across threat intelligence sources (OTX, URLhaus)",
    inputSchema: {
      type: "object" as const,
      properties: {
        domain: {
          type: "string",
          description: "Domain name to look up",
        },
      },
      required: ["domain"],
    },
  },
  {
    name: "threatintel_lookup_hash",
    description: "Look up a file hash (MD5, SHA1, SHA256) across threat intelligence sources (OTX, MalwareBazaar)",
    inputSchema: {
      type: "object" as const,
      properties: {
        hash: {
          type: "string",
          description: "File hash (MD5, SHA1, or SHA256)",
        },
      },
      required: ["hash"],
    },
  },
  {
    name: "threatintel_lookup_url",
    description: "Look up a URL for malware/phishing indicators (OTX, URLhaus)",
    inputSchema: {
      type: "object" as const,
      properties: {
        url: {
          type: "string",
          description: "URL to check",
        },
      },
      required: ["url"],
    },
  },
];
  • src/index.ts:77-97 (helper)
    Helper function apiRequest used by the IP lookup handler to make HTTP requests to threat intel APIs with JSON headers and error handling.
    // Helper function for API requests
async function apiRequest<T>(
  url: string,
  options: RequestInit = {}
): Promise<T> {
  const response = await fetch(url, {
    ...options,
    headers: {
      "Content-Type": "application/json",
      "Accept": "application/json",
      ...(options.headers || {}),
    },
  });

  if (!response.ok) {
    const text = await response.text();
    throw new Error(`API error ${response.status}: ${text}`);
  }

  return response.json() as Promise<T>;
}

Tool Definition Quality

A3.5/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, and the description only mentions 'look up', a read operation. It does not disclose behaviors such as response format, error handling, or rate limits.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

A single, clear sentence with no extraneous information; highly concise and front-loaded.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a simple one-parameter tool with no output schema, the description is adequate but could mention typical return values or the union of source responses.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Input schema coverage is 100%, and the description adds no new meaning beyond the schema's property description for 'ip'. Baseline score applies.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the verb 'look up' and the resource 'IP address across all configured threat intelligence sources', distinguishing it from sibling tools like feodo_tracker or greynoise_ip that target specific sources.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies when to use the tool (for a comprehensive lookup across all sources) but does not explicitly state when to use alternatives or exclude certain scenarios.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/aplaceforallmystuff/mcp-threatintel'

If you have feedback or need assistance with the MCP directory API, please join our Discord server