Megaraptor MCP

vql_help

Access documentation for Velociraptor Query Language (VQL) syntax, plugins, functions, and example queries to support digital forensics investigations.

Instructions

Get help on VQL (Velociraptor Query Language).

Args: topic: Optional topic to get help on. Options: - 'syntax': VQL syntax basics - 'plugins': Common VQL plugins - 'functions': Common VQL functions - 'examples': Example queries

Returns: Help text for the requested topic.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`topic`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

src/megaraptor_mcp/tools/vql.py:117-279 (handler)

The implementation of the `vql_help` MCP tool. It defines the available topics and returns help documentation based on the requested topic.

@mcp.tool()
async def vql_help(
    topic: Optional[str] = None,
) -> list[TextContent]:
    """Get help on VQL (Velociraptor Query Language).

    Args:
        topic: Optional topic to get help on. Options:
               - 'syntax': VQL syntax basics
               - 'plugins': Common VQL plugins
               - 'functions': Common VQL functions
               - 'examples': Example queries

    Returns:
        Help text for the requested topic.
    """
    help_content = {
        "syntax": """
# VQL Syntax Basics

VQL follows a SQL-like syntax:

```
SELECT column1, column2, ...
FROM plugin(arg1=value1, arg2=value2, ...)
WHERE condition
ORDER BY column
LIMIT n
```

Key differences from SQL:
- Uses plugins instead of tables
- Plugins are function calls with named arguments
- Supports LET for variable assignment
- Supports foreach() for iteration
""",
        "plugins": """
# Common VQL Plugins

## Client Information
- clients() - List/search clients
- client_info() - Get info about a specific client

## Collections
- collect_client() - Schedule artifact collection
- flows() - List collection flows
- source() - Get collection results

## Hunts
- hunt() - Create a hunt
- hunts() - List hunts
- hunt_results() - Get hunt results

## System Info (Client)
- info() - Basic system info
- pslist() - Process list
- netstat() - Network connections
- users() - User accounts

## File System (Client)
- glob() - File search with wildcards
- read_file() - Read file contents
- stat() - File metadata
- hash() - Calculate file hashes

## Windows Specific
- wmi() - WMI queries
- registry() - Registry access
- evtx() - Event log parsing
""",
        "functions": """
# Common VQL Functions

## String Functions
- format() - Format strings
- split() - Split string
- regex_replace() - Regex replacement
- base64encode/decode() - Base64 encoding

## Time Functions
- now() - Current timestamp
- timestamp() - Parse timestamp
- humanize() - Human-readable time

## Data Functions
- count() - Count rows
- enumerate() - Add row numbers
- filter() - Filter rows
- dict() - Create dictionary
- array() - Create array

## File Functions
- read_file() - Read file
- hash() - Calculate hash
- upload() - Upload file to server
""",
        "examples": """
# VQL Example Queries

## List all Windows clients
```
SELECT * FROM clients() WHERE os_info.system = 'windows'
```

## Find processes by name
```
SELECT * FROM pslist() WHERE Name =~ 'chrome'
```

## Search for files
```
SELECT * FROM glob(globs='C:/Users/*/Downloads/*.exe')
```

## Get recent event logs
```
SELECT * FROM Artifact.Windows.EventLogs.Evtx(
    EvtxGlob='%SystemRoot%/System32/Winevt/Logs/Security.evtx',
    StartDate=now() - 86400
)
```

## Collect artifact and wait for results
```
LET flow <= SELECT collect_client(
    client_id='C.xxx',
    artifacts='Windows.System.Pslist'
) FROM scope()

SELECT * FROM source(
    client_id='C.xxx',
    flow_id=flow[0].collect_client.flow_id
)
```
""",
    }

    if topic and topic in help_content:
        return [TextContent(
            type="text",
            text=help_content[topic]
        )]
    else:
        # Return overview of all topics
        overview = """
# VQL Help

VQL (Velociraptor Query Language) is the core query language for Velociraptor.

Available help topics:
- syntax: VQL syntax basics
- plugins: Common VQL plugins
- functions: Common VQL functions
- examples: Example queries

Use vql_help(topic='<topic>') to get detailed help on a specific topic.

For complete VQL reference, see: https://docs.velociraptor.app/vql_reference/
"""
        return [TextContent(
            type="text",
            text=overview
        )]

Tool Definition Quality

A3.6/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden. It discloses that the tool returns 'Help text for the requested topic,' but omits behavioral details like whether results are cached, idempotent, or if there are rate limits on help requests. It does clarify that omitting the topic parameter is valid (returns general help).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description uses a clear structured format with 'Args:' and 'Returns:' sections. The bulleted list of topic options is efficiently presented. The opening sentence immediately establishes purpose without redundancy, though the 'Returns' statement is somewhat tautological given the context signals indicate an output schema exists.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given this is a simple single-parameter help tool with an output schema present, the description provides adequate coverage. It documents the parameter behavior sufficiently given the schema lacks descriptions, and does not need to elaborate on return values since the output schema handles that. It appropriately covers the tool's limited scope.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The schema has 0% description coverage (just 'type': 'string' or null). The description compensates effectively by enumerating the four valid topic values ('syntax', 'plugins', 'functions', 'examples') with brief explanations for each, adding critical semantic information absent from the structured schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states 'Get help on VQL (Velociraptor Query Language)' using a specific verb and resource. Among siblings like run_vql (which executes queries), this distinguishes itself as a documentation/help tool rather than an operational command, though it doesn't explicitly contrast itself with run_vql.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides implied usage context by listing specific topic options (syntax, plugins, functions, examples), but lacks explicit guidance on when to use this versus reading artifact documentation directly or when not to use it (e.g., for actual data collection).

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/wagonbomb/megaraptor-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server