Megaraptor MCP

list_hunts

Retrieve and filter active hunts from the Velociraptor forensics platform to monitor investigation status and manage endpoint security operations.

Instructions

List Velociraptor hunts.

Args: state: Optional filter by state: 'RUNNING', 'PAUSED', 'STOPPED', 'COMPLETED' limit: Maximum number of hunts to return (default 50)

Returns: List of hunts with their status and statistics.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`state`	No
`limit`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

src/megaraptor_mcp/tools/hunts.py:148-230 (handler)

The handler implementation for the list_hunts tool which queries Velociraptor hunts via VQL and formats the output.

async def list_hunts(
    state: Optional[str] = None,
    limit: int = 50,
) -> list[TextContent]:
    """List Velociraptor hunts.

    Args:
        state: Optional filter by state: 'RUNNING', 'PAUSED', 'STOPPED', 'COMPLETED'
        limit: Maximum number of hunts to return (default 50)

    Returns:
        List of hunts with their status and statistics.
    """
    try:
        # Input validation
        limit = validate_limit(limit)

        if state and state.upper() not in ['RUNNING', 'PAUSED', 'STOPPED', 'COMPLETED']:
            return [TextContent(
                type="text",
                text=json.dumps({
                    "error": f"Invalid state '{state}'. Must be one of: RUNNING, PAUSED, STOPPED, COMPLETED"
                })
            )]
        client = get_client()

        vql = f"SELECT * FROM hunts() LIMIT {limit}"
        results = client.query(vql)

        # Filter by state if specified
        if state:
            results = [r for r in results if r.get("state", "").upper() == state.upper()]

        # Format the results
        formatted = []
        for row in results:
            hunt = {
                "hunt_id": row.get("hunt_id", ""),
                "description": row.get("hunt_description", ""),
                "state": row.get("state", ""),
                "artifacts": row.get("artifacts", []),
                "created_time": row.get("create_time", ""),
                "start_time": row.get("start_time", ""),
                "stats": {
                    "total_clients_scheduled": row.get("stats", {}).get("total_clients_scheduled", 0),
                    "total_clients_with_results": row.get("stats", {}).get("total_clients_with_results", 0),
                    "total_clients_with_errors": row.get("stats", {}).get("total_clients_with_errors", 0),
                },
                "creator": row.get("creator", ""),
            }
            formatted.append(hunt)

        return [TextContent(
            type="text",
            text=json.dumps(formatted, indent=2, default=str)
        )]

    except grpc.RpcError as e:
        error_response = map_grpc_error(e, "hunt listing")
        return [TextContent(
            type="text",
            text=json.dumps(error_response)
        )]

    except ValueError as e:
        # Validation errors
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": str(e),
                "hint": "Check your limit parameter value"
            })
        )]

    except Exception:
        # Generic errors - don't expose internals
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": "Failed to list hunts",
                "hint": "Check Velociraptor server connection and try again"
            })
        )]

Tool Definition Quality

B3.4/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries full burden. It discloses the return type ('List of hunts with their status and statistics') and pagination behavior (default limit 50), but omits safety profile (read-only vs destructive), permission requirements, or detailed error behaviors.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Uses structured docstring format (Args/Returns) that is appropriately sized for a 2-parameter tool. Information is front-loaded with the one-sentence purpose statement followed by parameter details. Slightly mechanical but efficient.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the simple schema (2 primitives, no nesting) and existence of output schema, the description provides adequate coverage. The Args section compensates for schema deficiencies, and the Returns section provides sufficient high-level context without needing to replicate the full output schema structure.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Excellent compensation for 0% schema description coverage. The Args section documents both parameters clearly: 'state' includes specific enum values ('RUNNING', 'PAUSED', 'STOPPED', 'COMPLETED') not present in the schema, and 'limit' explains the default of 50.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

Clearly states 'List Velociraptor hunts' with specific verb and resource. Distinguishes from sibling tools like 'create_hunt' (mutation) and 'get_hunt_results' (specific retrieval) by indicating bulk listing behavior, though could explicitly mention the distinction from fetching individual hunt results.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No explicit guidance on when to use this versus alternatives like 'get_hunt_results' or 'get_flow_results'. The Args section explains how to filter but not why to choose this tool over other hunt-related operations in the sibling list.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/wagonbomb/megaraptor-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server