phishfort-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@phishfort-mcpShow me recent phishing incidents"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
██████╗ ██╗ ██╗██╗███████╗██╗ ██╗███████╗ ██████╗ ██████╗ ████████╗
██╔══██╗██║ ██║██║██╔════╝██║ ██║██╔════╝██╔═══██╗██╔══██╗╚══██╔══╝
██████╔╝███████║██║███████╗███████║█████╗ ██║ ██║██████╔╝ ██║
██╔═══╝ ██╔══██║██║╚════██║██╔══██║██╔══╝ ██║ ██║██╔══██╗ ██║
██║ ██║ ██║██║███████║██║ ██║██║ ╚██████╔╝██║ ██║ ██║
╚═╝ ╚═╝ ╚═╝╚═╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
███╗ ███╗ ██████╗██████╗
████╗ ████║██╔════╝██╔══██╗
██╔████╔██║██║ ██████╔╝
██║╚██╔╝██║██║ ██╔═══╝
██║ ╚═╝ ██║╚██████╗██║
╚═╝ ╚═╝ ╚═════╝╚═╝
MCP server + paired agent skill for PhishFort workflows
approval-gated writes | secret-safe defaults | no URL fetchingphishfort-mcp
A security-first MCP server and paired agent skill for the PhishFort Unified Client API.
Security-reviewed and hardened — 2026-06-10. Approval-gated writes · secret-safe by default · no incident-URL fetching · every security claim verified against the code.
Bring PhishFort incident review, reporting, attachments, comments, and webhook management into your MCP client, then give your agent the workflow playbook for using those tools safely.
Paired skill | Official PhishFort API docs | Security review | Local reference
Unofficial project. Not affiliated with, endorsed by, or maintained by PhishFort.
Security, reviewed in the open
This is a security tool, so the security work is the headline — not a disclaimer at the bottom. Every control is implemented in code, covered by tests, and was put through a review-and-harden pass whose results are public.
2026-06-02 — v0.1.0. Local
stdioMCP server and paired agent skill, security-first by default: approval-gated writes, API host pinning, redirects disabled, and no fetching of incident URLs.2026-06-05 — Posture mapped to evidence. Every security feature documented against MCP, OpenAI, and Anthropic guidance, each row tied to the exact code and test behind it.
2026-06-10 — v0.1.1 Review and hardening pass. A security review conducted by Claude Fable 5 Ultracode (initial pass), Opus 4.8 xhigh, rubber-ducked with Codex 5.5 xhigh via plugin drove a hardening pass:
destructive confirmation is now enforced on incident-action requests — the annotation and the approval gate agree,
secret-named fields are scrubbed recursively, and one-time webhook secrets are written through
O_NOFOLLOW0600files,retries now cover transport errors, and secret-named fields are redacted from errors,
the approval salt is random and process-stable, and the retry count is bounded,
the webhook URL preflight rejects legacy numeric-IP encodings,
the attachment validate→upload race (TOCTOU) is closed.
The same pass reworded every security claim to match what the code enforces — the approval gate is described as in-process integrity and confirmation, not independent authorization, and the webhook URL check as a pre-submit sanity check. Tests went from 26 to 36.
The table below is the evidence: each control maps to the code and the test that backs it.
Related MCP server: Security Copilot MCP Server
Standards-Backed Security Posture
This server was designed against the Official Model Context Protocol security guidance, Anthropic connector guidance, OpenAI MCP guidance, OpenAI agent safety guidance, and PhishFort's official API docs. The table below lists only security features that are implemented in code, with local evidence.
Local evidence:
Security feature | What it prevents | Confirmed implementation |
Local | Avoids exposing a public HTTP MCP surface in v1 |
|
Two-step approval gate for writes | Forces an explicit plan→confirm step with a tamper-evident digest before any mutation. This is in-process integrity/confirmation, not independent human authorization — the host UI provides the human prompt via the destructive hints below | Write tools require |
Tamper-resistant approval digest | Blocks changing params after approval planning |
|
Destructive confirmation | Adds explicit friction for delete/rotate operations | Destructive specs require |
Read/write MCP annotations | Gives MCP hosts correct safety hints |
|
API keys never passed as tool args | Reduces credential leakage through prompts/tool logs |
|
Default API host pinning | Avoids accidental credential use against arbitrary hosts |
|
Redirects disabled | Avoids following API responses to unexpected locations |
|
Error redaction | Prevents API keys and secret-named fields from leaking through raised API errors |
|
Untrusted data warnings | Reminds agents not to treat incident content as instructions |
|
No generic URL fetching | Avoids browsing hostile URLs returned in incident data | Server exposes PhishFort API tools only; no tool fetches incident URLs |
Attachment file restrictions | Reduces local file exfiltration risk |
|
Webhook URL preflight (defense-in-depth) | Rejects localhost/private/reserved targets — including legacy decimal/octal/hex IP forms — before a webhook is registered. The server never fetches the URL itself (PhishFort delivers webhooks), so backend egress controls remain the real boundary |
|
Webhook secret containment | Keeps one-time secrets out of tool output |
|
Webhook signature verification | Enables receiver-side HMAC verification |
|
Limit-aware behavior | Avoids known API limit failures where possible |
|
Bounded retry behavior | Avoids unsafe retry storms or unbounded sleeps | Retries only |
About
phishfort-mcp is a public, unofficial MCP integration for teams and operators who want PhishFort incident workflows available inside agentic tools without giving up basic operational control. The MCP server provides live API access; the paired skill gives compatible agents the workflow memory needed to use that access consistently.
It is built for local-first use, explicit approvals, and careful handling of phishing data. The goal is not to make incident response fully autonomous. The goal is to make the repetitive parts faster while keeping sensitive actions, secrets, and untrusted content under control.
Why This Exists
PhishFort has a focused REST API for phishing incident workflows. MCP makes that API usable from agentic tools, and the paired skill teaches those agents the operating procedure: what to read first, how to plan writes, what data is untrusted, and when to stop for explicit approval.
That pairing matters because security workflows are not just API calls. Incident data can contain hostile text, URLs should not be fetched casually, and takedown or webhook operations should not happen from a loose prompt.
phishfort-mcp ships two pieces that work together:
a local
stdioMCP server for live PhishFort API accessan agent-agnostic skill that turns raw tool access into repeatable, safer workflows
approval-gated writes for reporting, actions, evidence, comments, and webhooks
secret-safe handling for API keys and one-time webhook secrets
untrusted-data guardrails for incident text, URLs, and webhook payloads
What You Can Do
Workflow | Tools |
Give agents the PhishFort operating playbook |
|
Check documented API limits |
|
Check identity and client scope |
|
Search and inspect incidents |
|
Report URLs, domains, emails, phones, and IPv4 subjects |
|
Request takedown, monitoring, or safe review |
|
Add evidence and analyst context |
|
Manage webhook subscriptions |
|
Verify incoming webhook deliveries |
|
The server also exposes MCP resources for the distilled API reference, source manifest, and security review:
phishfort://reference/summaryphishfort://reference/limitsphishfort://reference/source-manifestphishfort://reference/security-review
Paired Skill
This repo ships an agent-agnostic skill in skills/phishfort-mcp/SKILL.md. Use it with any skill-capable MCP host to teach the agent the safe operating pattern for this server: read before write, treat incident data as untrusted, never fetch returned URLs by default, and use phishfort_plan_change before mutating calls.
The skill keeps detailed workflows in references/workflows.md, exact tool parameters in references/tool-map.md, and points agents to phishfort_get_limits before workflows where limits change the right next step.
Safety Built In
The standards-backed table above is the detailed proof. Operationally, the server stays local-first, keeps credentials out of tool arguments, treats PhishFort data as untrusted, gates writes through phishfort_plan_change, stores webhook secrets outside tool output, and constrains attachments, webhook URLs, limits, and retries.
See MCP security review for the reasoning behind these choices.
Quick Start
git clone https://github.com/mychaelconnolly/phishfort-mcp.git
cd phishfort-mcp
uv sync --extra devCreate a local key file:
mkdir -p ~/.config/phishfort-mcp
chmod 700 ~/.config/phishfort-mcp
$EDITOR ~/.config/phishfort-mcp/phishfort-api-key.txt
chmod 600 ~/.config/phishfort-mcp/phishfort-api-key.txtRun a local CLI smoke:
uv run phishfort-mcp --helpCodex MCP Registration
codex mcp add phishfort \
--env PHISHFORT_API_KEY_FILE=$HOME/.config/phishfort-mcp/phishfort-api-key.txt \
-- uv --directory <path-to-phishfort-mcp> run phishfort-mcpThen verify:
codex mcp listA fresh Codex session may be required before new MCP tools are discoverable.
Configuration
Variable | Default | Notes |
|
| Pinned to official API host unless override is enabled. |
| unset | Useful for short-lived local shells. |
| unset | Preferred for MCP registration. |
|
| Webhook secrets are written here with |
|
| Comma-separated roots allowed for attachment uploads. |
|
| HTTP request timeout. |
|
| Retries apply to |
|
| Test-only escape hatch for non-production API hosts. |
|
| Test-only escape hatch for localhost/private webhook targets. |
Approval-Gated Writes
Read tools can be called directly. Writes are two-step on purpose:
Call
phishfort_plan_changewithoperationand exact params.Review
warnings,risk,request_digest, andapproval_phrase.Call the intended mutating tool with the same params plus
approval_id,approval_phrase,expires_at, andrequest_digest.
If anything changes, rerun phishfort_plan_change.
This gate is in-process integrity and confirmation: it proves the executed params
match the planned params (tamper-evident digest), enforces expiry, and requires
destructive_confirmed=true for destructive operations. It is not an independent
authorization boundary — the same agent can plan and confirm. The human-in-the-loop
checkpoint is the MCP host's own tool-confirmation UI, driven by the destructive
annotations the server sets.
Verification
uv run ruff check .
uv run pytestOptional live smoke when a valid key exists:
phishfort_whoamiphishfort_list_incidents(limit=1)
Do not run live mutating smoke unless you intend to change PhishFort state.
API Reference
Official PhishFort docs:
This repo includes a distilled reference in docs/reference/phishfort-unified-client-api.md and a source URL manifest in docs/reference/source-manifest.json. Fetched raw PhishFort docs are intentionally not tracked.
License
MIT. See LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mychaelconnolly/phishfort-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server