cortex-mcp

cortex_run_analyzer_file

Submit a file to any analyzer for analysis by providing a file path or base64-encoded content, enabling automated security investigations.

Instructions

Submit a file to a specific analyzer for analysis. Provide a file path or base64-encoded content.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`analyzerId`	Yes	The analyzer ID to run
`filePath`	No	Path to the file to analyze (local filesystem)
`fileBase64`	No	Base64-encoded file content (alternative to filePath)
`filename`	No	Filename (required with fileBase64, auto-detected from filePath)
`contentType`	No	MIME type of the file (default: application/octet-stream)	application/octet-stream
`tlp`	No	Traffic Light Protocol level (0=WHITE, 1=GREEN, 2=AMBER, 3=RED)
`pap`	No	Permissible Actions Protocol level (0-3)
`message`	No	Optional context message for the analysis

Implementation Reference

src/tools/analyzers.ts:295-366 (handler)

The main handler function for the 'cortex_run_analyzer_file' tool. It reads a file from a local path or decodes base64 content, then calls client.runAnalyzerWithFile() to submit the file for analysis. Returns the job details including jobId for polling results.

  async ({ analyzerId, filePath, fileBase64, filename, contentType, tlp, pap, message }) => {
    try {
      let content: Buffer;
      let name: string;

      if (filePath) {
        content = await readFile(filePath);
        name = filename ?? basename(filePath);
      } else if (fileBase64) {
        if (!filename) {
          return {
            content: [
              {
                type: "text" as const,
                text: "filename is required when using fileBase64.",
              },
            ],
            isError: true,
          };
        }
        content = Buffer.from(fileBase64, "base64");
        name = filename;
      } else {
        return {
          content: [
            {
              type: "text" as const,
              text: "Provide either filePath or fileBase64 to submit a file for analysis.",
            },
          ],
          isError: true,
        };
      }

      const job = await client.runAnalyzerWithFile(
        analyzerId,
        { content, filename: name, contentType },
        { tlp, pap, message },
      );

      return {
        content: [
          {
            type: "text" as const,
            text: JSON.stringify(
              {
                jobId: job.id,
                status: job.status,
                analyzerId: job.analyzerId,
                filename: name,
                fileSize: content.length,
                message: `File analysis job submitted. Use cortex_wait_and_get_report with jobId "${job.id}" to get results.`,
              },
              null,
              2,
            ),
          },
        ],
      };
    } catch (error) {
      return {
        content: [
          {
            type: "text" as const,
            text: `Error running file analysis: ${error instanceof Error ? error.message : String(error)}`,
          },
        ],
        isError: true,
      };
    }
  },
);

src/tools/analyzers.ts:258-294 (schema)

Input schema for the cortex_run_analyzer_file tool using Zod validation. Defines parameters: analyzerId (required string), filePath (optional), fileBase64 (optional), filename (optional), contentType (default: application/octet-stream), tlp (0-3, default: 2), pap (0-3, default: 2), and message (optional context).

{
  analyzerId: z.string().describe("The analyzer ID to run"),
  filePath: z
    .string()
    .optional()
    .describe("Path to the file to analyze (local filesystem)"),
  fileBase64: z
    .string()
    .optional()
    .describe("Base64-encoded file content (alternative to filePath)"),
  filename: z
    .string()
    .optional()
    .describe("Filename (required with fileBase64, auto-detected from filePath)"),
  contentType: z
    .string()
    .default("application/octet-stream")
    .describe("MIME type of the file (default: application/octet-stream)"),
  tlp: z
    .number()
    .int()
    .min(0)
    .max(3)
    .default(2)
    .describe("Traffic Light Protocol level (0=WHITE, 1=GREEN, 2=AMBER, 3=RED)"),
  pap: z
    .number()
    .int()
    .min(0)
    .max(3)
    .default(2)
    .describe("Permissible Actions Protocol level (0-3)"),
  message: z
    .string()
    .optional()
    .describe("Optional context message for the analysis"),
},

src/tools/analyzers.ts:255-366 (registration)

Registration of the 'cortex_run_analyzer_file' tool via server.tool() inside the registerAnalyzerTools() function, which is called from src/index.ts line 34.

server.tool(
  "cortex_run_analyzer_file",
  "Submit a file to a specific analyzer for analysis. Provide a file path or base64-encoded content.",
  {
    analyzerId: z.string().describe("The analyzer ID to run"),
    filePath: z
      .string()
      .optional()
      .describe("Path to the file to analyze (local filesystem)"),
    fileBase64: z
      .string()
      .optional()
      .describe("Base64-encoded file content (alternative to filePath)"),
    filename: z
      .string()
      .optional()
      .describe("Filename (required with fileBase64, auto-detected from filePath)"),
    contentType: z
      .string()
      .default("application/octet-stream")
      .describe("MIME type of the file (default: application/octet-stream)"),
    tlp: z
      .number()
      .int()
      .min(0)
      .max(3)
      .default(2)
      .describe("Traffic Light Protocol level (0=WHITE, 1=GREEN, 2=AMBER, 3=RED)"),
    pap: z
      .number()
      .int()
      .min(0)
      .max(3)
      .default(2)
      .describe("Permissible Actions Protocol level (0-3)"),
    message: z
      .string()
      .optional()
      .describe("Optional context message for the analysis"),
  },
  async ({ analyzerId, filePath, fileBase64, filename, contentType, tlp, pap, message }) => {
    try {
      let content: Buffer;
      let name: string;

      if (filePath) {
        content = await readFile(filePath);
        name = filename ?? basename(filePath);
      } else if (fileBase64) {
        if (!filename) {
          return {
            content: [
              {
                type: "text" as const,
                text: "filename is required when using fileBase64.",
              },
            ],
            isError: true,
          };
        }
        content = Buffer.from(fileBase64, "base64");
        name = filename;
      } else {
        return {
          content: [
            {
              type: "text" as const,
              text: "Provide either filePath or fileBase64 to submit a file for analysis.",
            },
          ],
          isError: true,
        };
      }

      const job = await client.runAnalyzerWithFile(
        analyzerId,
        { content, filename: name, contentType },
        { tlp, pap, message },
      );

      return {
        content: [
          {
            type: "text" as const,
            text: JSON.stringify(
              {
                jobId: job.id,
                status: job.status,
                analyzerId: job.analyzerId,
                filename: name,
                fileSize: content.length,
                message: `File analysis job submitted. Use cortex_wait_and_get_report with jobId "${job.id}" to get results.`,
              },
              null,
              2,
            ),
          },
        ],
      };
    } catch (error) {
      return {
        content: [
          {
            type: "text" as const,
            text: `Error running file analysis: ${error instanceof Error ? error.message : String(error)}`,
          },
        ],
        isError: true,
      };
    }
  },
);

src/client.ts:165-220 (helper)

The runAnalyzerWithFile() helper method on the CortexClient. It builds a multipart form request with _json metadata and file attachment, sends it to the Cortex API, and returns the resulting job.

async runAnalyzerWithFile(
  analyzerId: string,
  file: {
    content: Buffer;
    filename: string;
    contentType: string;
  },
  options: {
    tlp: number;
    pap: number;
    message?: string;
  },
): Promise<Job> {
  const url = `${this.baseUrl}/analyzer/${encodeURIComponent(analyzerId)}/run`;
  const controller = new AbortController();
  const timeoutId = setTimeout(() => controller.abort(), this.timeout);

  try {
    const formData = new FormData();

    // Cortex expects _json field with metadata and attachment field with file
    const jsonData = JSON.stringify({
      dataType: "file",
      tlp: options.tlp,
      pap: options.pap,
      message: options.message ?? "",
    });
    formData.append("_json", new Blob([jsonData], { type: "application/json" }));

    const fileBuffer = Uint8Array.from(file.content).buffer;
    const fileBlob = new Blob([fileBuffer], { type: file.contentType });
    formData.append("attachment", fileBlob, file.filename);

    const response = await fetch(url, {
      method: "POST",
      headers: {
        Authorization: `Bearer ${this.config.apiKey}`,
      },
      body: formData,
      signal: controller.signal,
    });

    if (!response.ok) {
      const body = await response.text().catch(() => "");
      throw new Error(`Cortex API error: HTTP ${response.status}${body ? ` - ${body}` : ""}`);
    }

    return response.json() as Promise<Job>;
  } catch (error) {
    if (error instanceof Error && error.name === "AbortError") {
      throw new Error(`Cortex API timeout after ${this.timeout}ms`);
    }
    throw error;
  } finally {
    clearTimeout(timeoutId);
  }

Tool Definition Quality

B3.1/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description must cover behavioral traits. It only states submission, but does not disclose whether the operation is asynchronous, returns a job, requires specific permissions, or has side effects.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single concise sentence that covers the core action. It is front-loaded and easy to parse, though it could benefit from a brief structure for key parameters.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

The tool has 8 parameters and no output schema or annotations. The description omits return values, error conditions, and behavioral context (e.g., job creation), leaving the agent underinformed for a moderately complex submission.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema already describes all parameters (100% coverage). The description merely repeats the file path/base64 duality without adding extra meaning or constraints beyond the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('submit a file') and the resource ('to a specific analyzer'), specifying two input methods (file path or base64-encoded content). It distinguishes from siblings like cortex_run_analyzer which likely handles observables, not files.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No guidance on when to use this tool versus siblings such as cortex_run_analyzer or cortex_run_analyzer_by_name. The agent is not informed about the appropriate context for file-based analysis.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/solomonneas/cortex-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server