Reports MCP Server

get_vulnerability

Retrieve a specific vulnerability by its ID from penetration testing reports to access detailed security assessment documentation, including CVSS 3.1 scoring and HTML formatting.

Instructions

Retrieve a specific vulnerability by ID

Input Schema

TableJSON Schema

Name	Required	Description	Default
`bearerToken`	No	Bearer token for authentication (optional if REPORTS_JWT_TOKEN env var is set)
`vulnerabilityId`	Yes	The ID of the vulnerability to retrieve (24-character MongoDB ObjectId)

Implementation Reference

server.js:330-395 (handler)

The core handler function that implements the logic for retrieving a specific vulnerability by ID from the API endpoint. It validates the ID, makes an authenticated GET request, and returns formatted JSON response or error content.

async function getVulnerability(providedToken, vulnerabilityId) {
  try {
    const bearerToken = getBearerToken(providedToken);
    
    // Validate vulnerabilityId format (should be MongoDB ObjectId)
    if (!vulnerabilityId || !vulnerabilityId.match(/^[0-9a-fA-F]{24}$/)) {
      throw new McpError(
        ErrorCode.InvalidParams,
        'Invalid vulnerabilityId format. Must be a valid MongoDB ObjectId (24 characters)'
      );
    }

    const response = await axios.get(`${VULNERABILITY_ENDPOINT}/${vulnerabilityId}`, {
      headers: {
        'Authorization': `Bearer ${bearerToken}`,
        'Content-Type': 'application/json',
      },
      timeout: 10000,
    });

    return {
      content: [
        {
          type: 'text',
          text: JSON.stringify({
            success: true,
            status: response.status,
            data: response.data,
            timestamp: new Date().toISOString(),
            message: `Retrieved vulnerability ${vulnerabilityId}`,
          }, null, 2),
        },
      ],
    };
  } catch (error) {
    if (error instanceof McpError) {
      throw error;
    }
    
    if (error.response) {
      return {
        content: [
          {
            type: 'text',
            text: JSON.stringify({
              success: false,
              status: error.response.status,
              error: error.response.data || error.message,
              timestamp: new Date().toISOString(),
            }, null, 2),
          },
        ],
      };
    } else if (error.request) {
      throw new McpError(
        ErrorCode.InternalError,
        `Network error: Unable to reach the API at ${VULNERABILITY_ENDPOINT}/${vulnerabilityId}`
      );
    } else {
      throw new McpError(
        ErrorCode.InternalError,
        `Request setup error: ${error.message}`
      );
    }
  }
}

server.js:898-915 (schema)

The input schema and description for the 'get_vulnerability' tool as exposed in the listTools MCP endpoint.

{
  name: 'get_vulnerability',
  description: 'Retrieve a specific vulnerability by ID',
  inputSchema: {
    type: 'object',
    properties: {
      bearerToken: {
        type: 'string',
        description: 'Bearer token for authentication (optional if REPORTS_JWT_TOKEN env var is set)',
      },
      vulnerabilityId: {
        type: 'string',
        description: 'The ID of the vulnerability to retrieve (24-character MongoDB ObjectId)',
      },
    },
    required: ['vulnerabilityId'],
  },
},

server.js:1154-1161 (registration)

The dispatch case in the central tool call handler that validates arguments and invokes the getVulnerability handler function.

case 'get_vulnerability':
  if (!args.vulnerabilityId) {
    throw new McpError(
      ErrorCode.InvalidParams,
      'Vulnerability ID is required'
    );
  }
  return await getVulnerability(args.bearerToken, args.vulnerabilityId);

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It states the action ('retrieve') but lacks details on authentication requirements (beyond what's in the schema), rate limits, error handling, or response format. This is a significant gap for a tool that likely interacts with sensitive data.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that front-loads the core purpose without unnecessary words. Every element ('retrieve,' 'specific vulnerability,' 'by ID') earns its place by clarifying scope and method, making it highly concise and well-structured.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of vulnerability data, lack of annotations, and no output schema, the description is incomplete. It doesn't explain what a 'vulnerability' entails in this context, the format of the returned data, or how this tool fits into the broader workflow with siblings like 'create_vulnerabilities' or 'update_vulnerability.'

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already documents both parameters thoroughly. The description adds no additional meaning beyond implying the 'vulnerabilityId' is used for retrieval. This meets the baseline for high schema coverage but doesn't enhance understanding of parameter usage or constraints.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the verb ('retrieve') and resource ('specific vulnerability by ID'), making the purpose immediately understandable. It distinguishes from sibling tools like 'get_vulnerabilities' (plural) by specifying retrieval of a single item. However, it doesn't explicitly contrast with 'get_report' or other retrieval tools, keeping it from a perfect score.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No guidance is provided on when to use this tool versus alternatives like 'get_vulnerabilities' (for listing) or 'get_report' (for related reports). The description implies usage for fetching a single vulnerability but offers no context on prerequisites, error conditions, or integration with other tools.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/izzy0101010101/mcp-reports-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server