Skip to main content
Glama
malloryai

Mallory MCP Server

Official
by malloryai
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

list_threat_actors

Search and browse threat actors to discover recent additions, filter by name or UUID, and generate threat intelligence reports with pagination and sorting options.

Instructions

Get threat actors

Use this tool when you need to search, browse, or list multiple threat actors. This is particularly useful for:

  • Discovering recently added threat actors in the database

  • Searching for specific threat actors by name

  • Creating reports on threat actor landscapes

  • Building comprehensive threat intelligence briefings

  • Comparing multiple threat actors

Args: filter (str, optional): A string used to filter threat actors. It can start with specific prefixes: * name:: Filter by Name. * uuid:: Filter by UUID. * If no prefix is provided, it defaults to a name filter. Defaults to "". offset (int, optional): The number of items to skip before starting to collect the result set. Defaults to 0. limit (int, optional): The maximum number of items to return. Minimum value is 1. Defaults to 10 (API default is 100). sort (str, optional): Field to sort by - either 'name', 'created_at', or 'updated_at'. Defaults to 'created_at'. order (str, optional): Sort order - either 'asc' or 'desc'. Defaults to 'desc'.

Returns: Dict[str, Any]: Dictionary containing: - total: Total number of threat actors matching the filter criteria - offset: Current pagination offset - limit: Number of items returned per page - message: Status message (usually null when successful) - data: List of threat actor records, each containing: - uuid: Unique identifier for the threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - gen_description: Generated description (if available) - misp_uuid: Reference ID in MISP (Malware Information Sharing Platform) - created_at: Timestamp when this record was first added - updated_at: Timestamp when this record was last modified - enriched_at: Timestamp when this record was last enriched with additional data

Note: This function returns summary information about threat actors. To get detailed information including mentions and intelligence sources for a specific threat actor, use the get_threat_actor() function with the uuid or name.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
filterNo
offsetNo
limitNo
sortNocreated_at
orderNodesc

Implementation Reference

  • malloryai/mcp/tools/threat_actors.py:53-109 (handler)
    The handler function for the 'list_threat_actors' MCP tool, registered via @mcp.tool() decorator. Includes input parameters, comprehensive docstring defining schema, and proxies the call to the underlying MalloryAI client API.
    @mcp.tool()
@handle_api_errors
async def list_threat_actors(
    filter: str = "",
    offset: int = 0,
    limit: int = 10,
    sort: str = "created_at",
    order: str = "desc",
) -> Dict[str, Any]:
    """Get threat actors

    Use this tool when you need to search, browse, or list multiple threat actors. This is
    particularly useful for:
    - Discovering recently added threat actors in the database
    - Searching for specific threat actors by name
    - Creating reports on threat actor landscapes
    - Building comprehensive threat intelligence briefings
    - Comparing multiple threat actors

    Args:
        filter (str, optional): A string used to filter threat actors. It can start with specific prefixes:
            * `name:`: Filter by Name.
            * `uuid:`: Filter by UUID.
            * If no prefix is provided, it defaults to a name filter.
            Defaults to "".
        offset (int, optional): The number of items to skip before starting to collect the result set.
            Defaults to 0.
        limit (int, optional): The maximum number of items to return. Minimum value is 1.
            Defaults to 10 (API default is 100).
        sort (str, optional): Field to sort by - either 'name', 'created_at', or 'updated_at'.
            Defaults to 'created_at'.
        order (str, optional): Sort order - either 'asc' or 'desc'.
            Defaults to 'desc'.

    Returns:
        Dict[str, Any]: Dictionary containing:
            - total: Total number of threat actors matching the filter criteria
            - offset: Current pagination offset
            - limit: Number of items returned per page
            - message: Status message (usually null when successful)
            - data: List of threat actor records, each containing:
                - uuid: Unique identifier for the threat actor
                - name: Machine-readable name (typically lowercase with underscores)
                - display_name: Human-readable name with proper formatting
                - gen_description: Generated description (if available)
                - misp_uuid: Reference ID in MISP (Malware Information Sharing Platform)
                - created_at: Timestamp when this record was first added
                - updated_at: Timestamp when this record was last modified
                - enriched_at: Timestamp when this record was last enriched with additional data

    Note: This function returns summary information about threat actors. To get detailed
    information including mentions and intelligence sources for a specific threat actor,
    use the get_threat_actor() function with the uuid or name.
    """
    return await malloryai_client.threat_actors.list_threat_actors(
        filter=filter, offset=offset, limit=limit, sort=sort, order=order
    )
  • malloryai/mcp/server/server.py:16-35 (registration)
    Dynamic registration mechanism that imports all tool modules (including threat_actors.py), triggering the @mcp.tool() decorators to register the list_threat_actors tool.
    def load_tools():
    """Dynamically load all tool modules in the tools package"""
    # Get the tools directory
    tools_dir = Path(__file__).resolve().parent.parent / "tools"

    # Find all Python modules in the tools directory
    for _, module_name, _ in pkgutil.iter_modules([str(tools_dir)]):
        # Skip the __init__ module
        if module_name != "__init__":
            # Import the module
            importlib.import_module(f"malloryai.mcp.tools.{module_name}")
            debug_log(f"Loaded tool: {module_name}")


def initialize_server():
    """Initialize the server by loading all tools"""
    try:
        debug_log("Starting tool loading...")
        load_tools()
        debug_log("Tools loaded successfully")

Tool Definition Quality

A4.7/5.0
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It effectively describes the tool's behavior including pagination (offset/limit), filtering capabilities, sorting options, and return format. It also clarifies that this returns summary information rather than detailed intelligence. The only minor gap is lack of explicit mention about rate limits or authentication requirements.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with clear sections (purpose, use cases, args, returns, note) and efficiently communicates necessary information. While comprehensive, it maintains focus without unnecessary verbosity. The only minor improvement would be slightly tighter phrasing in the use cases section.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool with 5 parameters, 0% schema description coverage, no annotations, and no output schema, the description provides complete context. It covers purpose, usage guidelines, detailed parameter explanations, return format documentation, and sibling tool differentiation. This gives the agent everything needed to correctly invoke the tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Given 0% schema description coverage, the description fully compensates by providing comprehensive parameter documentation. It explains each of the 5 parameters in detail, including default values, valid values for sort and order fields, filter prefix behavior, and practical usage guidance. This adds significant value beyond what the bare schema provides.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose with specific verbs ('search, browse, or list multiple threat actors') and distinguishes it from sibling tools by explicitly mentioning get_threat_actor() as the alternative for detailed information. It goes beyond just restating the name by explaining the scope and functionality.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit guidance on when to use this tool ('when you need to search, browse, or list multiple threat actors') and when not to use it (directing users to get_threat_actor() for detailed information). It includes specific use cases and clearly distinguishes from the sibling tool for detailed lookups.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/malloryai/mallorymcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server