VulneraMCP

js.analyze

Analyze JavaScript files to extract endpoints and secrets for security testing and vulnerability assessment.

Instructions

Download, beautify, and analyze a JavaScript file - extract endpoints and secrets

Input Schema

TableJSON Schema

Name	Required	Description	Default
`url`	Yes	URL of the JS file to analyze

Implementation Reference

src/tools/js.ts:243-315 (handler)

Handler function for 'js.analyze' tool: Downloads JS from URL using axios, beautifies with js-beautify, extracts endpoints (URLs and paths) using regex, extracts API keys using regex patterns, stores analysis in Redis via setWorkingMemory, returns formatted result with summary.

async ({ url }: any): Promise<ToolResult> => {
  try {
    // Download
    let source: string;
    try {
      const response = await axios.get(url, {
        timeout: 30000,
        headers: {
          'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        },
      });
      source = response.data;
    } catch (error: any) {
      return formatToolResult(false, null, `Failed to download: ${error.message}`);
    }

    // Beautify
    let beautified: string;
    try {
      beautified = beautify.js(source, {
        indent_size: 2,
        space_in_empty_paren: true,
        preserve_newlines: true,
      });
    } catch {
      beautified = source;
    }

    // Find endpoints
    const urlRegex = /\bhttps?:\/\/[\w\-\.:%]+[\w\-\/_\.\?\=\%\&\#]*/g;
    const urls = Array.from(new Set(beautified.match(urlRegex) || []));
    const pathRegex = /["'`](\/[-a-zA-Z0-9_@:\/\.]+)["'`]/g;
    const paths: string[] = [];
    let match: RegExpExecArray | null;
    while ((match = pathRegex.exec(beautified)) !== null) {
      paths.push(match[1]);
    }
    const endpoints = {
      urls,
      paths: Array.from(new Set(paths)),
    };

    // Extract secrets (simplified)
    const secrets: any = {
      apiKeys: [],
      tokens: [],
      candidates: [],
    };
    const apiKeyPattern = /(?:api[_-]?key|apikey)[\s:=]+["'`]([A-Za-z0-9_\-]{20,})["'`]/gi;
    let keyMatch: RegExpExecArray | null;
    while ((keyMatch = apiKeyPattern.exec(beautified)) !== null) {
      secrets.apiKeys.push(keyMatch[1]);
    }
    secrets.apiKeys = Array.from(new Set(secrets.apiKeys));

    await setWorkingMemory(`js:analysis:${url}`, {
      endpoints,
      secrets,
    }, 7200);

    return formatToolResult(true, {
      url,
      endpoints,
      secrets,
      summary: {
        endpointsFound: (endpoints.urls?.length || 0) + (endpoints.paths?.length || 0),
        secretsFound: (secrets.apiKeys?.length || 0) + (secrets.tokens?.length || 0),
      },
    });
  } catch (error: any) {
    return formatToolResult(false, null, error.message);
  }
}

src/tools/js.ts:234-242 (schema)

Input schema and description for the 'js.analyze' tool: requires a single 'url' string parameter.

  description: 'Download, beautify, and analyze a JavaScript file - extract endpoints and secrets',
  inputSchema: {
    type: 'object',
    properties: {
      url: { type: 'string', description: 'URL of the JS file to analyze' },
    },
    required: ['url'],
  },
},

src/tools/js.ts:231-316 (registration)

Registers the 'js.analyze' tool within the registerJsTools function using server.tool(name, schema, handler). This function is called from src/index.ts.

server.tool(
  'js.analyze',
  {
    description: 'Download, beautify, and analyze a JavaScript file - extract endpoints and secrets',
    inputSchema: {
      type: 'object',
      properties: {
        url: { type: 'string', description: 'URL of the JS file to analyze' },
      },
      required: ['url'],
    },
  },
  async ({ url }: any): Promise<ToolResult> => {
    try {
      // Download
      let source: string;
      try {
        const response = await axios.get(url, {
          timeout: 30000,
          headers: {
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
          },
        });
        source = response.data;
      } catch (error: any) {
        return formatToolResult(false, null, `Failed to download: ${error.message}`);
      }

      // Beautify
      let beautified: string;
      try {
        beautified = beautify.js(source, {
          indent_size: 2,
          space_in_empty_paren: true,
          preserve_newlines: true,
        });
      } catch {
        beautified = source;
      }

      // Find endpoints
      const urlRegex = /\bhttps?:\/\/[\w\-\.:%]+[\w\-\/_\.\?\=\%\&\#]*/g;
      const urls = Array.from(new Set(beautified.match(urlRegex) || []));
      const pathRegex = /["'`](\/[-a-zA-Z0-9_@:\/\.]+)["'`]/g;
      const paths: string[] = [];
      let match: RegExpExecArray | null;
      while ((match = pathRegex.exec(beautified)) !== null) {
        paths.push(match[1]);
      }
      const endpoints = {
        urls,
        paths: Array.from(new Set(paths)),
      };

      // Extract secrets (simplified)
      const secrets: any = {
        apiKeys: [],
        tokens: [],
        candidates: [],
      };
      const apiKeyPattern = /(?:api[_-]?key|apikey)[\s:=]+["'`]([A-Za-z0-9_\-]{20,})["'`]/gi;
      let keyMatch: RegExpExecArray | null;
      while ((keyMatch = apiKeyPattern.exec(beautified)) !== null) {
        secrets.apiKeys.push(keyMatch[1]);
      }
      secrets.apiKeys = Array.from(new Set(secrets.apiKeys));

      await setWorkingMemory(`js:analysis:${url}`, {
        endpoints,
        secrets,
      }, 7200);

      return formatToolResult(true, {
        url,
        endpoints,
        secrets,
        summary: {
          endpointsFound: (endpoints.urls?.length || 0) + (endpoints.paths?.length || 0),
          secretsFound: (secrets.apiKeys?.length || 0) + (secrets.tokens?.length || 0),
        },
      });
    } catch (error: any) {
      return formatToolResult(false, null, error.message);
    }
  }
);

src/index.ts:36-36 (registration)
Top-level call to registerJsTools(server) in the main server initialization, which registers js.analyze and other JS tools.
```
registerJsTools(server);
```

Tool Definition Quality

A3.5/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden of behavioral disclosure. It mentions actions (download, beautify, analyze) but does not specify behavioral traits such as whether the download is cached, if beautification alters the original file, what analysis entails (e.g., static or dynamic), error handling, or rate limits. This leaves gaps in understanding the tool's operational behavior.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that front-loads all key actions and outcomes without unnecessary words. It uses a dash to separate the action from the purpose, making it easy to parse. Every part of the sentence contributes directly to understanding the tool's function.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's moderate complexity (multiple actions: download, beautify, analyze) and no annotations or output schema, the description is somewhat complete but lacks details on behavioral aspects and output format. It covers the high-level purpose but does not address how results are returned or what happens in edge cases, leaving room for improvement in contextual coverage.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, with the single parameter 'url' fully documented in the schema. The description does not add any parameter-specific details beyond what the schema provides, such as URL format requirements or supported protocols. Since the schema handles the parameter documentation adequately, the baseline score of 3 is appropriate.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific actions ('Download, beautify, and analyze') and the target resource ('a JavaScript file'), with explicit outcomes ('extract endpoints and secrets'). It distinguishes from siblings like js.download (download only), js.beautify (beautify only), js.find_endpoints (endpoints only), and js.extract_secrets (secrets only) by combining these functions into a comprehensive workflow.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage for analyzing JS files to extract endpoints and secrets, but does not explicitly state when to use this tool versus alternatives like js.find_endpoints or js.extract_secrets. It provides context for the tool's purpose but lacks specific guidance on exclusions or prerequisites, such as whether it should be used for initial reconnaissance versus targeted extraction.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/telmon95/VulneraMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server