Tradecraft MCP
Check domains, IPs, and URLs against abuse.ch threat feeds including URLhaus, Feodo Tracker, and SSL Blacklist.
Look up Gravatar profiles associated with email addresses.
Check email addresses against known data breaches and paste dumps via Have I Been Pwned.
Query VirusTotal for file hash reports, URL scans, domain reputation, and IP reputation.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Tradecraft MCPrun domain reconnaissance on example.com"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Tradecraft MCP
An OSINT (Open Source Intelligence) tradecraft toolkit exposed as an MCP server. Provides 31 tools for domain reconnaissance, email/identity research, threat intelligence, and web/social media analysis — plus 12 prompt templates that guide structured investigation workflows.
17 tools work out of the box with no configuration. The remaining 14 unlock with optional API keys and the server gracefully tells you how to set them up when they're missing.
Quick Start
# Install dependencies
uv sync
# Run the server
uv run tradecraft-mcpClaude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"tradecraft-mcp": {
"command": "uv",
"args": ["run", "--directory", "/path/to/tradecraft-mcp", "tradecraft-mcp"]
}
}
}Claude Code
claude mcp add tradecraft-mcp -- uv run --directory /path/to/tradecraft-mcp tradecraft-mcpMCP Inspector
uv run mcp dev src/tradecraft_mcp/server.pyRemote Access (SSE / Streamable HTTP)
The server supports three transports: stdio (default), sse, and streamable-http. Use the HTTP-based transports to run the server on a machine and connect to it remotely.
# Start with SSE transport on default port 8000
uv run tradecraft-mcp --transport sse
# Start with streamable-http on a custom port
uv run tradecraft-mcp --transport streamable-http --port 9000
# Bind to a specific interface
uv run tradecraft-mcp --transport sse --host 127.0.0.1 --port 8080Then configure your MCP client to connect to the remote URL:
{
"mcpServers": {
"tradecraft-mcp": {
"url": "http://<host>:8000/sse"
}
}
}For streamable-http, the endpoint is http://<host>:<port>/mcp.
Run uv run tradecraft-mcp --help to see all options.
Authentication
HTTP transports are open by default. Three authentication modes are supported: static bearer token, Google ID token verification, and full Google OAuth flow.
Static Bearer Token
# Via CLI flag
uv run tradecraft-mcp --transport sse --auth-token my-secret
# Via environment variable
MCP_AUTH_TOKEN=my-secret uv run tradecraft-mcp --transport streamable-httpClients must then include Authorization: Bearer my-secret in every request. Requests without a valid token receive a 401 response.
Google ID Token Verification
Verify Google-issued JWT ID tokens without running a full OAuth flow. Requires only the Google OAuth2 client ID:
# Via CLI flags
uv run tradecraft-mcp --transport sse --google-client-id YOUR_CLIENT_ID
# Restrict to specific emails or domains
uv run tradecraft-mcp --transport sse \
--google-client-id YOUR_CLIENT_ID \
--google-allowed-emails alice@example.com,bob@example.com
uv run tradecraft-mcp --transport sse \
--google-client-id YOUR_CLIENT_ID \
--google-allowed-domains example.com,mycompany.com
# Via environment variables
MCP_GOOGLE_CLIENT_ID=YOUR_CLIENT_ID uv run tradecraft-mcp --transport sseFull Google OAuth Flow
For a complete OAuth2 authorization code flow (consent screen, token exchange, refresh tokens), provide both the client ID and client secret:
# Via CLI flags
uv run tradecraft-mcp --transport sse \
--google-client-id YOUR_CLIENT_ID \
--google-client-secret YOUR_CLIENT_SECRET
# With email/domain restrictions
uv run tradecraft-mcp --transport sse \
--google-client-id YOUR_CLIENT_ID \
--google-client-secret YOUR_CLIENT_SECRET \
--google-allowed-domains mycompany.com
# Via environment variables
MCP_GOOGLE_CLIENT_ID=YOUR_CLIENT_ID \
MCP_GOOGLE_CLIENT_SECRET=YOUR_CLIENT_SECRET \
uv run tradecraft-mcp --transport sseThe server exposes /oauth/google/callback as the redirect URI — configure this in your Google Cloud Console OAuth credentials.
Auth Options Reference
Option | Env Var | Description |
|
| Static bearer token (enables simple auth when set) |
|
| Google OAuth2 client ID (enables Google auth) |
|
| Google OAuth2 client secret (enables full OAuth flow) |
|
| Comma-separated allowed email addresses |
|
| Comma-separated allowed email domains |
|
| OAuth issuer URL (default: |
|
| Comma-separated required scopes |
CLI flags take precedence over environment variables. Auth is ignored for stdio transport. When both Google auth and a static token are configured, Google auth takes precedence.
Related MCP server: OSINT MCP Server
Tools
Domain / IP / DNS Recon (9 tools)
Tool | Description | API Key |
| WHOIS for domain or IP — registrar, dates, nameservers | None |
| Query A, AAAA, MX, NS, TXT, CNAME, SOA records | None |
| Reverse DNS on an IP to find hostnames | None |
| Search crt.sh for certificates and subdomains | None |
| Subdomains via CT logs + optional brute-force + SecurityTrails |
|
| Geo data — country, city, ISP, ASN | None |
| Shodan host info — ports, services, vulns, geo |
|
| Shodan hosts for a domain |
|
| Censys host — services, TLS, ASN |
|
Email & Identity (6 tools)
Tool | Description | API Key |
| Format check + MX record verification | None |
| MX, SPF, DKIM, DMARC analysis + mail provider detection | None |
| Gravatar profile from email hash | None |
| Check username across major platforms via HTTP probing | None |
| Have I Been Pwned breach lookup |
|
| Have I Been Pwned paste index lookup |
|
Threat Intelligence (7 tools)
Tool | Description | API Key |
| Check against Abuse.ch URLhaus, Feodo Tracker, SSL Blacklist | None |
| VirusTotal analysis for a file hash |
|
| VirusTotal scan/report for a URL |
|
| VirusTotal domain reputation + DNS + detections |
|
| VirusTotal IP reputation + associated URLs/files |
|
| AbuseIPDB reports, confidence, ISP |
|
| Auto-detect IOC type, query all relevant tools, consolidated report | Uses underlying keys |
Web & Social Media (7 tools)
Tool | Description | API Key |
| Fetch page as clean text + metadata, respects robots.txt | None |
| Security header analysis — CSP, HSTS, X-Frame, cookies | None |
| OpenGraph, Twitter Card, linked resources, tech fingerprint | None |
| Generate Google dork queries for a target + goal | None |
| Wayback Machine archived snapshots | None |
| Extract public profile data from a social media URL | None |
| CMS, framework, CDN, analytics detection | None |
Prompt Templates
Prompt templates guide structured investigation workflows. Select one to get a step-by-step methodology that calls the right tools in the right order.
Domain Investigation
domain_full_recon— Multi-phase domain recon (WHOIS, DNS, subdomains, services, web, history)infrastructure_mapping— Map an org's internet-facing infrastructure from a domaindomain_threat_assessment— Assess domain threat posture with reputation + DNS + certs
Person / Identity Investigation
email_investigation— Start from email: validate, breaches, domain, gravatar, username searchusername_investigation— Start from username: enumerate platforms, find patterns, build profileperson_osint— Full person investigation using all available identifiers
Threat Assessment
ioc_investigation— Investigate a suspicious IOC with enrichment + threat feedsmalware_hash_analysis— Analyze malware hash: VT report + detection ratio + behaviorsuspicious_url_analysis— Analyze suspicious URL: reputation, WHOIS, cert, phishing checklistip_threat_profile— Build IP threat profile: geo + Shodan + AbuseIPDB + VT + reverse DNS
General OSINT
osint_methodology— General OSINT methodology framework (plan, collect, process, analyze, report)attack_surface_discovery— Discover org attack surface: domains, services, creds, documents, tech
API Keys
All keys are optional. Copy .env.example to .env and fill in the ones you have:
cp .env.example .envVariable | Service | How to Get |
| Register (free tier available) | |
| ||
| ||
| Sign up (free tier available) | |
| ||
| Register (free tier available) | |
| Sign up (free tier available) |
When a tool requiring a missing key is called, it returns a clear error message with the setup URL — no cryptic failures.
Development
# Install with dev dependencies
uv sync --group dev
# Run tests
uv run pytest tests/ -v
# Run a single test file
uv run pytest tests/test_domain_recon.py -vProject Structure
tradecraft-mcp/
├── pyproject.toml
├── src/
│ └── tradecraft_mcp/
│ ├── __init__.py # Entry point, version
│ ├── __main__.py # python -m tradecraft_mcp
│ ├── auth.py # Token verification (static + Google)
│ ├── oauth_provider.py # Google OAuth authorization server provider
│ ├── server.py # FastMCP instance, lifespan, registration
│ ├── config.py # API key loading from env vars
│ ├── tools/
│ │ ├── __init__.py # register_all_tools(mcp)
│ │ ├── domain_recon.py # 9 tools
│ │ ├── email_identity.py # 6 tools
│ │ ├── threat_intel.py # 7 tools
│ │ └── web_social.py # 7 tools
│ └── prompts/
│ ├── __init__.py # register_all_prompts(mcp)
│ ├── domain_investigation.py
│ ├── person_investigation.py
│ ├── threat_assessment.py
│ └── general_osint.py
└── tests/
├── conftest.py
├── test_domain_recon.py
├── test_email_identity.py
├── test_threat_intel.py
└── test_web_social.pyArchitecture
Authentication: Optional auth for HTTP transports — static bearer token, Google ID token verification, or full Google OAuth2 flow (uses MCP SDK's
TokenVerifierprotocol andOAuthAuthorizationServerProvider)Transport: stdio (default), SSE, or streamable-http — selectable via
--transportHTTP session: Single
aiohttp.ClientSessionshared across all tools via FastMCP lifespanOutput format: Markdown strings optimized for LLM consumption
Error handling: Missing API keys raise
ValueError(surfaced by the MCP SDK as tool errors); network errors are caught and returned as descriptive stringsLogging: All logging to stderr via Python
logging— never stdout (MCP stdio transport requirement)
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/glennadjrussell/tradecraft-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server