Megaraptor MCP

create_offline_collector

Generate self-contained forensic collection packages for air-gapped systems to gather artifacts without network connectivity.

Instructions

Create an offline collection package for air-gapped systems.

Generates a self-contained package that collects forensic artifacts without requiring network connectivity to a Velociraptor server.

Args: artifacts: List of artifacts to collect (e.g., ['Windows.System.Pslist']) target_os: Target OS - 'windows', 'linux', or 'macos' artifact_set: Use predefined artifact set instead of listing artifacts. Options: 'windows_triage', 'windows_quick', 'linux_triage', 'macos_triage', 'memory', 'ransomware' encrypt_output: Encrypt collection output with a generated password deployment_id: Optional deployment ID for tracking

Returns: Path to generated collector package and usage instructions.

Input Schema

TableJSON Schema

Name	Required	Default
`artifacts`	Yes
`target_os`	No	windows
`artifact_set`	No
`encrypt_output`	No
`deployment_id`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

src/megaraptor_mcp/tools/deployment.py:601-678 (handler)

The handler for the create_offline_collector tool, which generates an offline forensic collection package.

async def create_offline_collector(
    artifacts: list[str],
    target_os: str = "windows",
    artifact_set: Optional[str] = None,
    encrypt_output: bool = False,
    deployment_id: Optional[str] = None,
) -> list[TextContent]:
    """Create an offline collection package for air-gapped systems.

    Generates a self-contained package that collects forensic artifacts
    without requiring network connectivity to a Velociraptor server.

    Args:
        artifacts: List of artifacts to collect (e.g., ['Windows.System.Pslist'])
        target_os: Target OS - 'windows', 'linux', or 'macos'
        artifact_set: Use predefined artifact set instead of listing artifacts.
                     Options: 'windows_triage', 'windows_quick', 'linux_triage',
                     'macos_triage', 'memory', 'ransomware'
        encrypt_output: Encrypt collection output with a generated password
        deployment_id: Optional deployment ID for tracking

    Returns:
        Path to generated collector package and usage instructions.
    """
    try:
        from ..deployment.agents import OfflineCollectorGenerator
        from ..deployment.agents.offline_collector import CollectorConfig
        from ..deployment.security.credential_store import generate_password

        generator = OfflineCollectorGenerator()

        # Use artifact set if specified
        if artifact_set:
            artifacts = generator.get_artifact_set(artifact_set)

        # Generate encryption password if needed
        encryption_password = None
        if encrypt_output:
            encryption_password = generate_password(32)

        config = CollectorConfig(
            artifacts=artifacts,
            encrypt_output=encrypt_output,
            encryption_password=encryption_password,
            deployment_id=deployment_id,
        )

        result = await generator.generate(config, target_os)

        response = result.to_dict()
        if encrypt_output:
            response["encryption_password"] = encryption_password
            response["password_warning"] = "Save this password - it will not be shown again"

        return [TextContent(
            type="text",
            text=json.dumps(response, indent=2)
        )]

    except ImportError as e:
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": f"Missing dependency: {str(e)}",
                "hint": "Install required packages with: pip install megaraptor-mcp[deployment]"
            }, indent=2)
        )]

    except Exception:
        # Generic errors - don't expose internals
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": "Operation failed",
                "hint": "Check deployment configuration and try again"
            }, indent=2)
        )]

Tool Definition Quality

A4.3/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden. It adds valuable behavioral context about the 'self-contained package' nature, the encryption option ('Encrypt collection output with a generated password'), and the offline capability. However, it lacks disclosure about whether this operation is destructive, idempotent, or requires specific server permissions/resources.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description follows a clear docstring structure (summary, detailed explanation, Args, Returns) with zero wasted words. Information is front-loaded with the core purpose, and every sentence provides actionable information. The Args section efficiently maps parameters to semantics without redundancy.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the 5-parameter complexity and 0% schema coverage, the description successfully documents all inputs and summarizes the return value ('Path to generated collector package and usage instructions') despite the existence of an output schema. It could achieve a 5 by mentioning operational prerequisites (e.g., disk space requirements, execution privileges) given the forensic context and lack of annotations.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0% (only titles present), but the Args section in the description comprehensively documents all 5 parameters. It provides specific examples (e.g., 'Windows.System.Pslist'), enumerated valid values for target_os ('windows', 'linux', 'macos'), and detailed options for artifact_set ('windows_triage', 'ransomware', etc.), fully compensating for the schema deficiency.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description opens with a specific verb ('Create') and resource ('offline collection package'), immediately clarifying scope. The second sentence distinguishes this from online collection tools (siblings like collect_artifact) by emphasizing 'air-gapped systems' and 'without requiring network connectivity', providing clear functional differentiation.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description strongly implies when to use the tool ('for air-gapped systems', 'without requiring network connectivity'), which provides clear contextual guidance. However, it does not explicitly name online alternatives (e.g., 'use collect_artifact when network connectivity is available') or state when NOT to use this specific tool.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/wagonbomb/megaraptor-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server