nuclei-mcp
Allows scanning of HackerOne program scope targets using Nuclei, with automatic scope gating based on HackerOne scope snapshots.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@nuclei-mcpRun nuclei on life360"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
nuclei-mcp
A scoped Nuclei MCP server that refuses to scan anything not found in your
HackerOne scope snapshots. Works as a companion to h1-scope-watcher.
Architecture
Copilot/Claude (AI agent)
│
│ MCP (stdio)
▼
nuclei-mcp container
│ reads scope
├──────────────────► /data/snapshots/*.json ◄─── h1-scope-watcher writes here
│ runs scan
└──────────────────► nuclei binary (built-in)The two containers share the same host directory mounted as a volume.
h1-scope-watcher keeps the JSON files up to date; nuclei-mcp only reads them.
Scope Gate — How It Works
Every call to nuclei_scan or check_scope runs this logic before touching the network:
Load all
*.jsonfiles from/data/snapshotsTry exact hostname match (e.g.
api.life360.com→ matchesapi.life360.com)Try wildcard match (e.g.
sub.tile.com→ matches*.tile.com)Try fuzzy keyword match (e.g.
life360→ findsapi.life360.com,api-cloudfront.life360.com)Check
eligible_for_bounty == trueANDeligible_for_submission == trueBlock if any check fails — no exception, no override
Quick Start
1. Build the image
cd nuclei-mcp
docker build -t nuclei-mcp .2. Add to your Claude/Copilot MCP config
Open claude_desktop_config.json (or equivalent) mcp-config.json (copilot) and add:
{
"mcpServers": {
"h1-scope-watcher": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "D:/projects/H1-Scope-Watcher/snapshots:/data/snapshots",
"-e", "SNAPSHOTS_DIR=/data/snapshots",
"mcp/h1-scope"
]
},
"nuclei-mcp": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "D:/projects/H1-Scope-Watcher/snapshots:/data/snapshots",
"-e", "SNAPSHOTS_DIR=/data/snapshots",
"nuclei-mcp"
]
}
}
}Key point: Both containers mount the exact same host path (
D:/projects/H1-Scope-Watcher/snapshots) so they share the scope data without any extra networking or IPC.
H1-Scope-Watcher
MCP Tools
nuclei_scan
Run a Nuclei scan — scope-gated.
Parameter | Type | Default | Description |
| string | — | Domain, URL, or fuzzy name (e.g. |
| string |
| Comma-separated template paths / tags |
| string |
|
|
| int |
| Requests per second |
| string |
| Any extra raw nuclei flags |
Example prompts:
"Run nuclei on life360"
"Scan api.tile.com for critical and high findings"
"Run nuclei on production.tile-api.com with cve templates only"
check_scope
Preview the scope gate result without scanning.
Parameter | Type | Description |
| string | Domain, URL, or fuzzy name |
Example prompts:
"Is tile.com in scope?"
"Check if snipeit.corp.tile.com is bounty eligible" → will show BLOCKED
list_programs
Show all assets from all snapshot files, grouped by eligibility.
Environment Variables
Variable | Default | Description |
|
| Path to H1 scope JSON files |
|
| Nuclei binary path |
|
| Per-scan timeout |
Scope Behaviour Reference
From tile.com program example:
Asset | Type | Bounty | Allowed to scan? |
| URL | ✅ | ✅ Yes |
| URL | ✅ | ✅ Yes |
| URL | ✅ | ✅ Yes |
| WILDCARD | ❌ | ⛔ Blocked |
| URL | ❌ | ⛔ Blocked |
| URL | ❌ | ⛔ Blocked |
Legal
Only scan targets you own or have explicit written permission to test. This tool does not grant any authorisation — your HackerOne programme agreement is the authorisation document.
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/tobiasGuta/nuclei-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server