Statically audit an MCP server Python source file.

Enumerates tools registered with FastMCP-style @*.tool() decorators (and imperative mcp.tool()(fn) calls) and reports risk findings per tool: shell execution, filesystem writes, network egress, code injection, over-broad parameter types, and ambiguous/short descriptions.

Args: path: Absolute path to a Python file defining an MCP server. max_bytes: Reject files larger than this (default 5 MB). Prevents DoS via huge input. Pass a larger value if you need to audit a big monolith, but consider splitting it first.

Returns: Structured audit report (see AuditReport schema). Does NOT execute the target file. Includes a coverage block and limitations list — absence of finding is NOT proof of safety.

Statically audit a single agent tool definition for schema-level risks.

Accepts OpenAI function-calling, Anthropic tool-use, MCP tool, or a bare JSON Schema. Reports:

• over-broad params (bare-string paths/commands/URLs)

• missing constraints (enum/pattern/min/max/maxLength/maxItems)

• dangerous defaults (suspicious paths, disabled safeguards)

• exfil-shape (URL-destination + data-payload in the same tool)

• ambiguous descriptions vs risky tool names

Args: schema: A tool definition as a dict.

Returns: Structured AuditReport. Pure function, no I/O, no chaining.

Statically analyze a system prompt / template for prompt-injection surface.

Reports:

• placeholders (jinja {{x}}, fstring {x}, dollar ${x}, percent %(x)s) with a trust classification (untrusted / trusted / unknown)

• missing-delimiter findings: untrusted placeholders not wrapped in XML tags / triple-backticks / triple-quotes / [START]..[END] etc.

• dangerous-instruction patterns (ignore previous instructions, role overrides, trust-boundary violations, system-prompt leakage hints, special-token sequences)

• precedence-inversion: untrusted content placed near the end with no instruction reinforcement after it

Pure function. No LLM call, no I/O, no chaining.

Args: prompt: The system prompt or template text.

Returns: Structured AuditReport.

Map a finding or observation to OWASP LLM Top 10 (2025) categories.

Pure rule-based: keyword and regex patterns with weights per category. Returns the top top_n matching categories with the matched evidence snippets and a confidence score.

Args: observation: Free-form text describing a finding, scan result, bug report, threat model entry, or security observation. top_n: Number of matches to return (default 3).

Returns: ClassifyReport with ranked matches. If nothing matches, unmatched is True and matches is empty.

Decode and audit a JWT.

Reports algorithm issues (none, weak HS*), expiry, missing standard claims (exp, iat, iss, aud), suspicious kid values that look like path traversal or SQL, and (optionally) checks the signature against a small dictionary of common weak HS256/384/512 secrets.

Args: token: The JWT string (three dot-separated base64url segments). check_weak_secrets: If True, attempt a small dictionary of common secrets against the signature for HS* algorithms. Default True.

Returns: Structured inspection report (see JwtInspection schema).

Diff two HTTP responses with security-relevant findings.

Inputs may be raw HTTP response strings (status line + headers + body) or dicts shaped {"status": int, "headers": list|dict, "body": str}.

Reports:

• status transitions classed as auth-bypass-likely / idor-possible / etc.

• header diffs with security-header and auth-header tagging

• cookie attribute diffs (HttpOnly / Secure / SameSite removal flagged high)

• body diff: size, content-type shift, error-leak hints, unified diff excerpt

Stateless. Two inputs in, one report out.

Return known default credentials for a vendor / product / service.

Accepts a short product name (cisco, tomcat, idrac, mongo), a full key (router:cisco, db:mongodb), or a substring match. Returns every credential pair across all matching keys.

Pure data lookup — no network, no scanning.

Args: query: vendor / product / service identifier (case-insensitive).

Returns: LookupReport with matched_keys and credentials.

Return curated sensitive-path lists for a given tech stack.

Args: stack: Comma-separated stack hints. Supported keys: common, php, wordpress, dotnet, java, node, python, k8s, docker, ci. include_common: If True (default), always include the common set.

Returns: FilesReport with paths (each {path, why}). No network is performed.

Generate a wordlist tailored to the target surface.

Modes:

• passwords: combine brand / keyword seeds with leet substitution, capitalization variants, common suffixes and year suffixes.

• usernames: combine person names into common patterns (first, last, first.last, flast, firstl, …).

• subdomains: combine brand + keywords with a curated list of common environment / service subdomain labels.

Pure function. No network.

Args: mode: One of passwords, usernames, subdomains. brand: Target organization brand (used in all modes). names: List of person names ("Jane Doe") for usernames mode. keywords: Additional seed words for passwords / subdomains. years: Year strings to append (passwords mode). max_size: Hard cap on returned entries.

Returns: GenReport with sample (the wordlist itself, up to max_size).

Run a GraphQL introspection query against url and summarize the schema.

Single HTTP POST. Read-only. Will not mutate state on the server.

By default, requests resolving to private / loopback / link-local / cloud-metadata addresses are blocked (SSRF protection). Set allow_private=True to override — useful when explicitly auditing internal infrastructure.

Redirects are disabled (an HTTP 3xx from the target raises HTTP-error: redirects disabled). This prevents a public endpoint from redirecting the request to a private address after the pre-flight check.

Residual risk: DNS rebinding. The pre-flight resolution and the actual HTTP request happen in separate syscalls and the OS may resolve the hostname twice. A hostile DNS that returns a public IP for the check and a private IP for the request can defeat the guard. For high-stakes environments, run this tool inside a network namespace / egress proxy that enforces address restrictions independently.

Args: url: Full GraphQL endpoint URL (e.g. https://api.example.com/graphql). timeout: Network timeout in seconds (clamped to [1, 60]). insecure: Skip TLS verification (for self-signed certs in test envs). allow_private: Permit requests to private / internal addresses. Default False.

Returns: IntrospectReport summarizing the schema and security observations. If the URL resolves to a private address and allow_private is False, returns {"error": "blocked-private-address", ...}.

Generate a single PHP unserialize gadget chain via phpggc.

Args: chain: Gadget chain identifier (e.g. Laravel/RCE9, Symfony/RCE4, Monolog/RCE1). Run phpggc -l locally to enumerate. command: Shell command to embed in the chain (e.g. id, curl ...). encoding: One of raw, base64, url, json, soft. fast_destruct: Adds --fast-destruct (triggers without await). extra_args: Extra raw arguments to pass through.

Returns: PhpggcReport with the generated payload (string). If phpggc is not installed, available is False.

Register a new interactsh callback URL via the interactsh-client CLI.

Spawns interactsh-client detached, captures the assigned callback URL, and persists a session descriptor for later polling. Returns a token that pairs with interactsh_poll.

Args: server: interactsh server hostname (default interact.sh public). timeout: seconds to wait for the client to emit its URL.

Returns: RegisterReport with callback_url and token.

Read captured OOB interactions for a previously-registered token.

Args: token: token returned by interactsh_register.

Returns: PollReport with all interactions captured so far.

Stop a previously-registered interactsh-client session and clean up.

Terminates the spawned interactsh-client process (best-effort) and removes the session descriptor. The log file is removed by default (set delete_log=False to keep it for post-mortem).

Args: token: token returned by interactsh_register. delete_log: also remove the session log file (default True).

Returns: {"stopped": bool, "log_removed": bool, "note": str | None}