VulneraMCP

recon.subfinder

Discover subdomains for target domains using automated reconnaissance to identify potential attack surfaces for security testing.

Instructions

Run subfinder to discover subdomains for a domain

Input Schema

TableJSON Schema

Name	Required	Description	Default
`domain`	Yes	Target domain
`silent`	No	Silent mode

Implementation Reference

src/tools/recon.ts:25-56 (handler)

The handler function that executes the subfinder CLI tool: checks if subfinder is installed, runs it with the domain argument (optionally silent), parses subdomains from stdout, saves results to Postgres and Redis, and returns formatted ToolResult.

async ({ domain, silent = true }: any): Promise<ToolResult> => {
  try {
    const exists = await checkCommandExists('subfinder');
    if (!exists) {
      return formatToolResult(
        false,
        null,
        'subfinder not found. Install from: https://github.com/projectdiscovery/subfinder'
      );
    }

    const args = ['-d', domain];
    if (silent) args.push('-silent');

    const result = await runCommand('subfinder', args);
    const subdomains = result.stdout
      .split('\n')
      .filter((s) => s.trim().length > 0);

    await saveTestResult(domain, 'subfinder', true, { subdomains });
    await setWorkingMemory(`recon:${domain}:subdomains`, subdomains, 3600);

    return formatToolResult(true, {
      subdomains,
      count: subdomains.length,
      raw: result.stdout,
    });
  } catch (error: any) {
    await saveTestResult(domain, 'subfinder', false, null, error.message);
    return formatToolResult(false, null, error.message);
  }
}

src/tools/recon.ts:16-23 (schema)

Input schema for the recon.subfinder tool, defining 'domain' as required string and 'silent' as optional boolean.

inputSchema: {
  type: 'object',
  properties: {
    domain: { type: 'string', description: 'Target domain' },
    silent: { type: 'boolean', description: 'Silent mode', default: true },
  },
  required: ['domain'],
},

src/tools/recon.ts:12-57 (registration)

Registration of the 'recon.subfinder' tool via server.tool() call inside registerReconTools function, which is invoked from src/index.ts.

server.tool(
  'recon.subfinder',
  {
    description: 'Run subfinder to discover subdomains for a domain',
    inputSchema: {
      type: 'object',
      properties: {
        domain: { type: 'string', description: 'Target domain' },
        silent: { type: 'boolean', description: 'Silent mode', default: true },
      },
      required: ['domain'],
    },
  },
  async ({ domain, silent = true }: any): Promise<ToolResult> => {
    try {
      const exists = await checkCommandExists('subfinder');
      if (!exists) {
        return formatToolResult(
          false,
          null,
          'subfinder not found. Install from: https://github.com/projectdiscovery/subfinder'
        );
      }

      const args = ['-d', domain];
      if (silent) args.push('-silent');

      const result = await runCommand('subfinder', args);
      const subdomains = result.stdout
        .split('\n')
        .filter((s) => s.trim().length > 0);

      await saveTestResult(domain, 'subfinder', true, { subdomains });
      await setWorkingMemory(`recon:${domain}:subdomains`, subdomains, 3600);

      return formatToolResult(true, {
        subdomains,
        count: subdomains.length,
        raw: result.stdout,
      });
    } catch (error: any) {
      await saveTestResult(domain, 'subfinder', false, null, error.message);
      return formatToolResult(false, null, error.message);
    }
  }
);

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It mentions 'run subfinder' which implies execution, but doesn't describe what happens during execution (e.g., network activity, time taken, output format), potential side effects, or any constraints like rate limits. This leaves significant gaps in understanding the tool's behavior.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that directly states the tool's purpose without any unnecessary words. It's front-loaded and wastes no space, making it easy to parse quickly.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of a tool that runs an external command (subfinder) with no annotations and no output schema, the description is insufficient. It doesn't explain what the output looks like (e.g., list of subdomains, errors), how results are returned, or any dependencies. For a tool with potential behavioral nuances, more context is needed.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 100% description coverage, so the schema already documents both parameters ('domain' and 'silent'). The description doesn't add any meaning beyond this, such as explaining what 'silent mode' entails or providing examples. With high schema coverage, the baseline score of 3 is appropriate as the description doesn't compensate but also doesn't detract.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('run subfinder') and the resource ('to discover subdomains for a domain'), making the purpose immediately understandable. It doesn't explicitly differentiate from sibling recon tools like 'recon.amass' or 'recon.dns', which might have overlapping functionality, so it doesn't reach the highest score.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives like 'recon.amass' or 'recon.full', nor does it mention any prerequisites or context for usage. It simply states what the tool does without indicating appropriate scenarios or exclusions.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/telmon95/VulneraMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server