Clearfront MCP Server
The Clearfront MCP Server exposes 30 OSINT tools for investigating digital footprints across public data sources — all passive and intended for authorized use only. AI agents (e.g., Claude) can use it to gather intelligence on emails, usernames, domains, IPs, phone numbers, crypto addresses, and files.
Email Investigation
search_email— Enumerate social accounts linked to an email (holehe)search_breach— Check for email exposure in data breaches (HaveIBeenPwned)search_gravatar— Look up public Gravatar profilesearch_emailrep— Get email reputation and footprint summarysearch_paste— Search public paste sites for an email or usernamesearch_hudsonrock— Check infostealer/stolen credential exposure via Hudson Rock Cavalier
Username & Identity Discovery
search_username— Check presence across 300+ platforms (Sherlock + WhatsMyName)search_maigret— Broad identity discovery across 3,000+ sites
Domain & DNS Intelligence
search_whois— WHOIS registration datasearch_domain— Subdomain enumerationsearch_crt— Subdomain discovery via certificate transparency logssearch_dns— Full DNS enumeration with email security analysis (SPF, DMARC, DKIM)search_wayback— Historical/deleted URLs via the Wayback Machinesearch_harvester— Passive domain recon (emails, subdomains, hosts)
IP Address & Threat Intelligence
search_ip— Geolocation and ASN lookupsearch_exposure— Risk-ranked IP exposure report (VPN/Tor flags, blocklists)search_ip2location— Enhanced IP intelligence: VPN/proxy/Tor/datacenter detectionsearch_abuseipdb— IP abuse reputation via AbuseIPDBsearch_greynoise— Classify IP as internet background noise vs. targeted actorsearch_shodan— Open ports, banners, and CVEs via Shodansearch_virustotal— Check IPs, domains, URLs, or file hashes against 70+ AV enginessearch_censys— Internet-facing infrastructure, certificates, and open services
Social, Web & GitHub
search_github— GitHub profile, repos, commit-discovered emails, and exposed secretssearch_footprint— Search-based public profile discovery for a name, email, username, domain, or phonescrape_url— Fetch any URL bypassing bot-protection, returned as clean Markdown
Dorking & Search
generate_dorks— Generate 12 targeted Google dork URLs (no network calls)search_dorks_live— Execute live Google dork searches via Bright Data SERP API
Phone, Crypto & File Metadata
search_phone— Carrier, country, and line type for a phone numbersearch_crypto— Bitcoin or Ethereum address balance and transaction summarysearch_exif— Extract EXIF/IPTC/XMP metadata and GPS from a local file
Multi-Target Investigation
investigate_multi— Investigate up to 10 targets in parallel using the full OSINT toolchain, generating individual and summary reports
Provides tools for looking up Bitcoin addresses, returning balance and transaction count.
Provides search-based footprint discovery using DuckDuckGo as a search backend.
Provides tools for looking up Ethereum addresses, returning balance and transaction count.
Provides tools for searching GitHub profiles, repositories, and exposing secrets.
Provides tools for generating Google dork queries and performing live Google searches via SERP APIs.
Provides tool for looking up public Gravatar profiles linked to an email address.
Provides tool for retrieving historical URLs archived under a domain via the Wayback Machine.
Provides tool for searching Pastebin dump mentions for a given domain or keyword.
Provides tool for scanning files/URLs with multiple antivirus engines via VirusTotal API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Clearfront MCP Serverinvestigate email test@example.com"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
30 modular tools, email, username (sherlock + WhatsMyName), broad username discovery across 3,000+ sites (maigret), search-based footprint discovery, IP, IP self-exposure report, domain, WHOIS, breach, Gravatar profile, EmailRep reputation, phone, paste, EXIF/GPS metadata, Shodan, VirusTotal, Censys, IP2Location, AbuseIPDB, GitHub (profile + public code/secret exposure), DNS, subdomain discovery via certificate transparency (crt.sh), historical URL recovery via the Wayback Machine (Internet Archive), mass-scan visibility (GreyNoise Community), infostealer-exposure check (Hudson Rock, free tier, no plaintext credentials), dork generation, live dork search, URL scraping, BTC/ETH address lookup, and passive domain recon (theHarvester)
MCP server built in, expose all 30 tools natively to Claude Code, Claude Desktop, and any MCP-compatible client
Three AI backends, Anthropic Claude (default), local Ollama, or any OpenAI-compatible endpoint; tool results come from real subprocess calls, never hallucinated
Fully async, parallel tool execution via
asyncio.gather()with hard subprocess timeoutsMIT licensed, no embedded LLM; bring your own API key or run fully offline
Legal Disclaimer: Clearfront is intended for legal and authorized use only. Users are solely responsible for ensuring their use complies with all applicable laws and regulations. The authors accept no liability for misuse. See DISCLAIMER.md.
What is Clearfront?
Clearfront is an AI agent for Open Source Intelligence with three interfaces: an interactive terminal REPL, a direct CLI, and an MCP server exposable to Claude Code, Claude Desktop, or any MCP-compatible client, plus a browser-based Web UI. The AI layer uses Anthropic's native tool use API (or a local Ollama model, or any OpenAI-compatible endpoint): the model issues hard stops when it needs a tool, your code executes the real binary, the actual output goes back, hallucination in tool results is structurally impossible.
Related MCP server: OSINT MCP Server
Installation
git clone https://github.com/scottmartinanderson/clearfront
cd clearfront
pip install -e .External binaries (must be in PATH):
Binary | Purpose | Install |
| Email account enumeration |
|
| Username enumeration (300+ platforms) |
|
| Subdomain enumeration |
|
| Phone number intelligence | |
| Passive domain recon (emails/subdomains) |
|
If a binary is absent, the corresponding tool returns a descriptive error string. All other tools remain operational.
Quick Start
# Interactive AI REPL (default)
clearfront
# Web interface
clearfront web
# Direct tool (no AI)
clearfront email target@example.comConfiguration
Store all keys in a .env file at the project root (copy .env.example). python-dotenv loads it automatically at startup.
Variable | Tool | Required | Purpose |
| AI agent | Yes (or use Ollama / OpenAI) | Anthropic API key |
| AI agent | Optional | Base URL of an OpenAI-compatible endpoint (e.g. |
| AI agent | Optional | API key for the OpenAI-compatible endpoint (local servers may ignore it) |
| AI agent | Optional | Model name to request from the endpoint (default: |
|
| Optional | HaveIBeenPwned v3, get one |
|
| Optional | ipinfo.io higher rate limits |
|
| Optional | Shodan API, get one |
|
| Optional | VirusTotal API v3, get one |
|
| Optional | IP2Location.io enhanced IP intelligence, get one |
|
| Optional | Censys Platform API: Personal Access Token + Organization ID, get one |
|
| Optional | AbuseIPDB v2, get one |
|
| Optional | GitHub API, raises rate limit from 60 to 5000 req/h, get one |
|
| Optional | Serper.dev Google SERP API, the preferred SERP backend (~$1/1k, 2,500 free), get one. |
|
| Optional | Bright Data API key, get one (free tier: 5,000 req/month). |
|
| Optional | Your Bright Data SERP API zone name (e.g. |
|
| Optional | Your Bright Data Web Unlocker zone name (e.g. |
The Bright Data link above is a referral link; signing up through it supports Clearfront at no extra cost to you.
Optional Python packages:
Package | Purpose | Install |
| Local LLM backend (no API key) |
|
| OpenAI-compatible backend for the REPL/CLI ( |
|
| Shodan API client |
|
| PDF report export |
|
| Censys API client |
|
Tools
Tool | Powered by | What it investigates |
| holehe | Social accounts linked to an email address |
| sherlock | Username presence across 300+ platforms |
| HaveIBeenPwned v3 API | Data breach exposure |
| python-whois | Domain registrant and DNS info |
| ipinfo.io | Geolocation, ASN, hostname |
| sublist3r | Subdomain enumeration |
| crt.sh | Subdomains from certificate transparency (keyless, passive) |
| Internet Archive | Historical/deleted URLs archived under a domain (keyless, passive) |
| GreyNoise Community | Mass-scanner noise vs. targeted actor for an IP (free, 50/week) |
| built-in | 12 targeted Google dork URLs (no network calls) |
| psbdmp.ws | Pastebin dump mentions |
| phoneinfoga | Carrier, country, line type |
| Shodan API | Open ports, banners, CVEs |
| VirusTotal API v3 | Verdict from 70+ antivirus engines |
| IP2Location.io API | Enhanced IP intel: VPN/Proxy/Tor/datacenter flags |
| Censys Search API | Internet-facing infrastructure, certificates |
| AbuseIPDB v2 API | IP abuse reputation: confidence score, reports, country, ISP |
| GitHub REST API | Profile, repos, commit-discovered emails, username/keyword search |
| dnspython (built-in) | A/AAAA/MX/NS/TXT/CNAME/SOA records; SPF, DMARC, DKIM analysis |
| Bright Data SERP API | Live Google search results for dork queries (title, URL, snippet) |
| Bright Data Web Unlocker | Fetch any URL bypassing Cloudflare/CAPTCHA, returns clean Markdown |
| maigret | Username presence across 3,000+ sites |
| SERP (Serper / Bright Data / DuckDuckGo) | Search-based footprint discovery for a name or handle |
| Gravatar API | Public Gravatar profile for an email: avatar, display name, linked accounts |
| EmailRep.io | Email reputation and footprint summary |
| Hudson Rock Cavalier (free) | Infostealer-exposure check for an email or username (no plaintext credentials) |
| exiftool | EXIF / IPTC / XMP metadata and embedded GPS from a local file |
| public chain APIs | Bitcoin / Ethereum address summary: balance, transaction count |
| theHarvester | Passive domain recon: emails, subdomains, hosts |
| built-in (composite) | Self-exposure report for an IP across the infrastructure tools |
Interfaces
Interactive REPL
Run clearfront with no arguments to start the AI-powered REPL. Type a target (email, username, domain, IP, name) or a question; the agent decides which tools to run, chains them on findings, and compiles a report.
REPL commands: <target>, clear, save, tools, config, history, help, exit / Ctrl-D.
All sessions are auto-saved to ~/.clearfront/history/. Browse with clearfront history.
Web UI
pip install "clearfront[web]"
clearfront web
# Opens http://localhost:8080 automaticallyBrowser-based AI chat with streaming tool output, inline result cards, and a light/dark theme toggle. Supports fully local inference via Ollama or any OpenAI-compatible endpoint (no Anthropic API key required when using a local backend).
The console runs entirely on your machine and binds to 127.0.0.1 by default. Choose your backend and paste your own key in Settings; your keys and the targets you investigate never touch our servers. Screenshots are in media/screenshots/.
MCP Server
Expose all 30 tools to any MCP-compatible AI client.
Claude Code:
claude mcp add clearfront python /absolute/path/to/clearfront/mcp_server.py
claude mcp listClaude Desktop, add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"clearfront": {
"command": "python",
"args": ["/absolute/path/to/clearfront/mcp_server.py"]
}
}
}Docker
docker compose up --build
docker compose run --rm clearfront email target@example.com --jsonSet ANTHROPIC_API_KEY (and optionally HIBP_API_KEY, IPINFO_TOKEN) in a .env file or export them before running. Reports persist to ./reports/ via a volume mount.
CLI Reference
Flag / Subcommand | Description |
| Interactive AI REPL (default) |
| Launch browser UI |
| Direct email scan |
| Direct username scan |
| Shodan lookup |
| VirusTotal lookup |
| Censys lookup |
| IP2Location lookup |
| AbuseIPDB reputation check |
| GitHub profile/repo/email discovery |
| DNS records + email security analysis |
| Parallel multi-target investigation (max 10) |
| Auto-pivot and export the entity correlation graph (GraphML/JSON/Mermaid) |
| View/manage REPL session history |
| Enable debug logging to stderr |
| Override subprocess timeout (seconds) |
| Anthropic API key (overrides env var) |
| Run complementary tools concurrently |
| Output results as structured JSON |
| Write results to FILE instead of stdout (raw; combine with |
| AI provider (default: |
| Ollama model name (default: |
| Ollama server URL (default: |
| OpenAI-compatible endpoint base URL (env: |
| Model to request from the endpoint (env: |
| API key for the endpoint (env: |
| Disable automatic PDF generation |
Contributing
Issues and pull requests are welcome. See CONTRIBUTING.md for the development workflow and coding conventions. Please read DISCLAIMER.md before contributing.
License
Clearfront is open source under the MIT License.
The bundled username dataset clearfront/tools/data/wmn-data-unique.json is a filtered
adaptation of the WhatsMyName project
by Micah Hoffman, used under the CC BY-SA 4.0
license; that file (and adaptations of it) remains under CC BY-SA 4.0. See
clearfront/tools/data/NOTICE.
For authorized security research only. See DISCLAIMER.md.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/scottmartinanderson/clearfront'
If you have feedback or need assistance with the MCP directory API, please join our Discord server