JsHookMcp
JsHookMcp is an AI-powered MCP server providing 500+ tools across 36 domains for JavaScript analysis, security research, browser automation, and reverse engineering.
Meta-Tool Capabilities (always exposed)
search_tools— Keyword/vector hybrid search to discover toolsroute_tool— Natural language task router that recommends tools, workflows, and activation orderdescribe_tool— Retrieve full details and input schema for any toolactivate_tools/deactivate_tools— Dynamically register or remove specific tools to manage contextactivate_domain— Activate an entire domain at once (e.g.,browser,network,debugger) with optional auto-expirycall_tool— Execute any active tool by name
Broader Capabilities (accessible after activation)
🌐 Browser Automation — Chromium/Camoufox control, CDP debugging, anti-detection, CAPTCHA handling
📡 Network Interception — HTTP/2 traffic monitoring, MiTM capture, GraphQL analysis, Burp Suite bridge
🪝 JavaScript Analysis — JS hooks, AST transforms, source-map reconstruction, deobfuscation
🧠 AI-Driven Code Analysis — LLM-powered deobfuscation, crypto detection, AST comprehension
🔍 Reverse Engineering — WASM disassembly, binary analysis, Frida/Ghidra/IDA integration
🧰 Process & Memory Forensics — Native FFI scanning, hardware breakpoints, PE introspection
🔄 Dynamic Extensibility — Declarative workflows, hot-reload plugins, cross-domain orchestration
🛡️ Security Research — Exploit development, syscall hooks, protocol analysis, encoding utilities
Provides a bridge for Burp Suite, enabling integration with the Burp Suite security testing platform for network interception and analysis.
Provides GraphQL introspection capabilities for analyzing and querying GraphQL APIs.
@jshookmcp/jshook
English | 中文
An MCP server that gives AI agents 600+ tools across 34 domains for JavaScript analysis and security research — browser automation, CDP debugging, network interception, JS hooks, LLM-powered code analysis, process/memory forensics, WASM reverse engineering, source-map reconstruction, AST transforms, and composite workflows in a single server.
Quick Links
Related MCP server: Codehooks.io MCP Server
🚀 Quick Start
No global install needed — add to your MCP client config and you're ready:
Claude Desktop / Cursor (claude_desktop_config.json):
{
"mcpServers": {
"jshook": {
"command": "npx",
"args": ["-y", "@jshookmcp/jshook@latest"],
"env": { "JSHOOK_BASE_PROFILE": "search" }
}
}
}(Windows: use npx.cmd absolute path if npx is not found)
Share one daemon across multiple agents
The default stdio configuration starts one full jshook process per MCP host. To share the embedding model, browser runtime, and caches, start one local Streamable HTTP daemon:
pnpm build
pnpm daemonThen point every MCP client at http://127.0.0.1:3000/mcp using its HTTP/URL server
configuration. Each client receives its own MCP session and response route while heavyweight
runtime resources remain in one process. Keep the default loopback bind; set MCP_AUTH_TOKEN
before exposing the endpoint beyond localhost.
🌟 Highlights
🤖 AI-Driven Analysis — LLM-powered deobfuscation, crypto detection, AST comprehension
⚡ Search-First Context Efficiency —
searchprofile ≈ 3K tokens vsfull≈ 40K+ tokens🎯 Progressive Tiers —
search→workflow→full, activate on demand🌐 Full-Stack Browser Automation — Chromium/Camoufox + CDP + anti-detection + CAPTCHA handling
🔁 Runtime Recovery and Session Isolation — HTTP sessions restore activated domains, browser attach state, coverage state, and isolate browser-side session state per client
🧭 Schema-First Meta Tools —
describe_tool, validatedcall_tool, andcoverage_reportreduce parameter errors and make tool coverage visible📡 Network Interception — HTTP/2 frame building, MiTM capture, GraphQL, Burp Suite bridge
🛠️ Reverse Engineering Toolchain — WASM disassembly, binary analysis, Frida, Ghidra/IDA bridges
🧰 Process & Memory Forensics — Native FFI scanning, hardware breakpoints, PE introspection
🧩 Dynamic Extensibility — Hot-reload plugins, declarative workflows, auto-discovered domains
Recent Runtime Notes
HTTP transport now multiplexes independent MCP sessions and restores runtime state after reconnects.
proxy_startauto-generates a local HTTPS interception CA when needed.Browser CAPTCHA solving is now explicit-input driven: pass
taskKind,siteKey,imageBase64,callbackName, andresponseSelectoras needed. Built-in widget/page signature probing is intentionally not used.
Architecture
Runtime Registry — Domains auto-discovered via
manifest.ts; add a domain by creating one fileLazy Initialization — Handlers instantiated on first call, not at startup
BM25 + Vector Search —
search_toolsmeta-tool with hybrid ranking and adaptive weightsMCP ToolAnnotations — Every tool carries
readOnlyHint/destructiveHint/idempotentHint/openWorldHint
Registry Snapshot
The built-in surface below is generated from the runtime registry and checked in CI.
Package version:
0.3.4Built-in Tools:
636Domains:
adb-bridge,binary-instrument,boringssl-inspector,browser,canvas,coordination,core,cross-domain,dart-inspector,debugger,encoding,exploit-dev,extension-registry,graphql,instrumentation,maintenance,memory,mojo-ipc,native-bridge,native-emulator,network,platform,process,protocol-analysis,proxy,sourcemap,streaming,syscall-hook,trace,transform,v8-inspector,wasm,webgpu,workflowNote: this snapshot is generated from the runtime registry; do not edit the counts by hand.
Project Stats
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/vmoranv/jshookmcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server