Layer 2 LAN host discovery — finds ALL devices on local network including those that block ICMP/TCP. Returns IP, MAC address, hostname, and vendor. Only possible from a machine on the same network segment.

Audit HTTP security headers of a URL. Checks HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy. Returns score/100 and grade.

Connect to a TCP port and capture the raw service banner. Unlike HTTP fetching, reads raw bytes from any protocol — SSH, FTP, SMTP, Redis, memcached, MySQL, etc.

Scan for nearby Bluetooth devices using local Bluetooth hardware. Returns device name, address, type, and pairing status. Requires a physical Bluetooth adapter — architecturally impossible for any cloud service.

Check npm dependencies in a package.json against the OSV vulnerability database. No API key needed.

Monitor critical system files for unauthorized changes. Three actions: 'scan' shows current state + permission issues; 'baseline' saves SHA-256 hashes of all critical files to disk; 'check' compares current state against the saved baseline and reports every modified, added, or removed file. Covers SSH keys, shell profiles, /etc/hosts, sudoers, LaunchAgents (macOS), systemd/passwd/shadow (Linux). Detects world-writable files and overly permissive SSH keys.

Enumerate all DNS records for a domain: A, AAAA, MX, NS, TXT, CNAME. Detects missing SPF/DMARC records.

Watch a file or directory for changes using kernel-level FS events (FSEvents on macOS, inotify on Linux). Captures creates, writes, deletes, renames in real time. A background MCP process can do this — Claude in a chat window never could.

Compute SHA-256 hashes of all files in a directory. Use to create integrity baselines, detect tampering, or verify files haven't changed. Reads local disk — not possible remotely.

Decode and analyze a JWT token locally without sending it anywhere. Shows header, payload, expiry, algorithm, and security warnings (e.g. 'none' algorithm, expired token, weak signing).

List active network connections on this machine (like netstat). Shows local/remote address and connection state.

List files, sockets, and pipes currently open by processes on this machine. Filter by process name or PID. Uses lsof — shows exactly what a process is reading, writing, or listening on.

Scan this machine for malware persistence mechanisms: LaunchAgents/LaunchDaemons (macOS), systemd units (Linux), cron jobs, and shell profile injections. Flags high-risk patterns like curl-pipe-to-bash, base64-encoded payloads, and binaries executing from /tmp. Essential first step when investigating a potentially compromised machine.

Send ICMP pings to all hosts in a CIDR range and return live hosts. Works on the local network — finds hosts even if they have no open TCP ports. Claude cannot send ICMP packets.

TCP port scan a host. Returns open ports with service guesses. Uses 200 concurrent goroutines — fast. Claude cannot do this natively.

List running processes on this machine. Optionally filter by name. Shows PID, CPU%, memory usage, and command.

Scan a file or directory for hardcoded secrets: AWS keys, GitHub tokens, API keys, private key blocks, DB URLs, and more. 20+ patterns.

Inspect the full TLS certificate chain of a host. Returns expiry countdown, issuer chain, SANs, key size, and weak-config warnings.

Audit a Node.js project's dependencies for supply chain attack indicators. Checks all packages in node_modules for: dangerous lifecycle scripts (postinstall that curl-pipe-to-bash, eval, base64 decode), typosquatting against 50+ popular package names (Levenshtein distance 1), and eval() of runtime data in source files. Reads local filesystem — no remote service can inspect your node_modules.

Get detailed local system information: CPU model, RAM, disk space, uptime, network interfaces with IPs and MACs. Reads from local hardware — not available to any remote service.

Trace the network path to a host hop-by-hop using ICMP TTL probes. Shows every router between this machine and the target. Requires raw packet sending — Claude cannot do this.

List all USB devices currently connected to this machine. Returns device name, vendor, product ID, speed, and manufacturer. Reads the local USB bus — no remote service can enumerate your physical ports.

Scan nearby Wi-Fi networks using local wireless hardware. Returns SSID, BSSID, signal strength, channel, and security type. Requires physical Wi-Fi hardware — impossible for Claude to do remotely.