Skip to main content
Glama
128,189 tools. Last updated 2026-05-06 01:22

"IDA Pro" matching MCP tools:

  • downgrade_plan

    Dock

    Schedule a downgrade to Free at the end of the current billing period. The org keeps its current plan (Pro or Scale) and paid limits until the period ends. No-op when already on Free. Consent-gated. Two consent surfaces, you pick via `mode`: (1) `chat` (default): FIRST call returns { status: 'confirmation_required', confirm_token, message, expires_in }; surface to your user and re-call within 60s with `confirm_token` set. (2) `web`: FIRST call returns { status: 'approval_required', approval_url, polling_url }; print approval_url in chat, user clicks + approves, then poll polling_url for the result.
    Connector

  • upgrade_plan

    Dock

    Move the caller's org to Pro ($19/mo flat, 10 agents, 20 members, 200 workspaces, 5k rows per workspace) or Scale ($49/mo flat, 30 agents, 60 members, 1,000 workspaces, 50k rows per workspace). The bill doesn't change as you add agents. If the org has no card on file, returns a Stripe Checkout URL for the human. If a card exists, a live plan switch (Pro ↔ Scale) is consent-gated. Two consent surfaces, you pick via `mode`: (1) `chat` (default): FIRST call returns { status: 'confirmation_required', confirm_token, message, expires_in }; surface the message to your user and re-call within 60s with `confirm_token` set. (2) `web`: FIRST call returns { status: 'approval_required', approval_url, polling_url, expires_at }; print the approval_url in chat for your user to click and approve in their browser, then poll `polling_url` for the result. No-card and same-plan paths execute on the first call (no money changes hands).
    Connector

  • me.validation_history

    AI Design Blueprint Doctrine

    Pro/Teams — return the authenticated user's architect.validate run history with the Blueprint Readiness Score (0-100), letter grade (A-F), and tier (draft, emerging, production_ready). Three lookup modes: (1) `run_id=<id>` returns a SINGLE run with the full persisted result_json — use this to RECOVER a result when your MCP client tool-call timed out before architect.validate returned. The run completes server-side and persists; the run_id is surfaced in the first progress notification of every architect.validate call so you have the recovery handle even when your client gives up early. (2) `repository=<name>` returns the full per-run trend for that repository plus a regression diff between the latest two runs. (3) No arguments returns one summary per repository the user has validated, sorted by most recent. Use modes (2) or (3) BEFORE calling architect.validate again on the same repository — they tell you which principles regressed since the last run, so you can focus the new review on what is actually changing. Auth: Bearer <token>. Pro or Teams plan required.
    Connector

  • cwe_lookup

    ContrastAPI

    Look up MITRE CWE (Common Weakness Enumeration) catalog record from research view 1000. Default response is SLIM (first 3 mitigations, first 3 examples, no extended_description) — pass include='full' for the verbose record. Returns description, abstract type (Pillar/Class/Base/Variant/Compound), status (Stable/Draft/Incomplete/Deprecated), exploit likelihood, recommended mitigations, observed example CVEs, parent_cwe (walk up the hierarchy), child_cwes (drill down to more specific weaknesses), and cve_count (LOWER BOUND — counts only CVEs whose primary CWE matches; CVEs with multiple CWEs may not be counted). Use after cve_lookup or kev_detail to understand the underlying weakness category; chain with cve_search(cwe_id=...) to enumerate all matching CVEs. Returns 404 when the CWE is not in research view 1000. Free: 100/hr, Pro: 1000/hr. Returns {cwe_id, name, description, abstract_type, status, likelihood, mitigations (first 3 by default), total_mitigations, examples (first 3 by default), total_examples, parent_cwe, child_cwes, cve_count, updated_at, verdict, next_calls; +extended_description on include='full'}.
    Connector

  • atlas_technique_search

    ContrastAPI

    Search the MITRE ATLAS catalog of AI/ML attack techniques by keyword, tactic, or maturity. Default response is SLIM (description truncated to 240 chars per row); pass include='full' for the verbose record. Pass exclude_id when chaining from atlas_technique_lookup to skip self in sibling-tactic searches. Use this to discover techniques matching a threat-model question, e.g. 'what techniques target LLM serving infrastructure?'. Drill into atlas_technique_lookup with any returned technique_id for the full description, ATT&CK bridge, and pivot hints. For broader cross-referencing: when a result has attack_reference_id, that bridges to D3FEND mitigations via d3fend_defense_for_attack. Free: 100/hr, Pro: 1000/hr. Returns {query (echoed filters), total, results [{technique_id, name, description (truncated by default), tactics, inherited_tactics, maturity, attack_reference_id, subtechnique_of}], next_calls}.
    Connector

  • atlas_case_study_lookup

    ContrastAPI

    Look up a MITRE ATLAS case study — a documented real-world AI/ML attack incident. Each case study links a sequence of ATLAS techniques (techniques_used) to the incident. Default response is SLIM (description truncated to 240 chars); pass include='full' for the verbose narrative. Use this after atlas_technique_search to find which incidents have exercised a given technique. Drill into the full techniques_used array via bulk_atlas_technique_lookup in a single call (next_calls emits exactly that hint). Returns 404 when the id is not in the synced catalog. Free: 100/hr, Pro: 1000/hr. Returns {case_study_id, name, description, techniques_used, next_calls}.
    Connector

Matching MCP Servers

Matching MCP Connectors

  • Humanizer PRO

    Humanizer PRO humanize AI-generated content into natural, human-sounding text that bypasses GPTZero, Turnitin, Originality.ai, Copyleaks, ZeroGPT, and other AI detectors. Undetectable AI content rewriting with Stealth, Academic, and SEO modes.

  • quicksign

    E-signatures for contracts and NDAs. Draft with AI, review, and send for signature.

  • d3fend_defense_search

    ContrastAPI

    Search the MITRE D3FEND catalog of defensive techniques by keyword, tactic, or targeted artifact. Default response is SLIM (drops `uri` from each row — saves ~60 chars/row, ~30% on popular drills); pass include='full' for the verbose record. Pass exclude_id when chaining from d3fend_defense_lookup to skip self in sibling-artifact searches. Use to discover defenses applicable to a given threat model — e.g. 'what defenses harden access tokens?' (tactic=Harden + artifact='Access Token'). Drill into d3fend_defense_lookup with any returned defense_id for the ATT&CK technique mappings. Free: 100/hr, Pro: 1000/hr. Returns {query, total, results [{defense_id, label, uri (only when include=full), parent_label, tactic, artifact}], next_calls}.
    Connector

  • get_financials

    openregistry

    Return annual-accounts filings (financial statements) for a company, normalised by `period_end` with pre-computed download URLs. **When to use.** This is the accounts-specific read. Use `get_financials` - NOT `list_filings(category='accounts')` - when the user asks about financial statements, annual reports, P&L, balance sheet, or 'latest accounts': this tool normalises the fiscal-period shape across registries and pre-computes `source_url` / `document_id` so callers don't need a second `get_document_metadata` round-trip. Call `fetch_document` on the returned `document_id` to read the actual XBRL / XHTML / PDF bytes; this tool only returns metadata. **Behaviour.** Read-only, idempotent, no side effects. Rate limits inherited from the tier: anonymous 20/min, pro 180, max 900, enterprise 3000. The whole accounts history is walked per query (late-filed amendments can land out of order), which may take 1-3s. Each item has `period_end` (fiscal-period end date, the primary sort key a user thinks in), optional `period_start` / `registration_date`, a `document_id` that can be passed to `fetch_document`, `document_format` (e.g. XBRL XML, XHTML, PDF - may be empty when the upstream negotiates format on fetch), `source_url` for direct download, and `jurisdiction_data` carrying raw upstream fields verbatim. Results are newest-first. Filters: `year=YYYY` keeps periods ending in that calendar year; `period_end=YYYY-MM-DD` pinpoints a single period (takes precedence over `year`). `limit` caps the post-filter slice - omit to return all matches. If the adapter doesn't implement `list_filings` at all, this returns 501. Per-country caveats (ID format, document format availability, whether bodies are paid) - call `list_jurisdictions({jurisdiction:"<code>"})`.
    Connector

  • search_companies

    openregistry

    Search company registries. Two calling modes - pick EXACTLY ONE per call: 1. `jurisdiction: "GB"` - single country, direct query, no confirmation screen. Use when the user has named a specific country. 2. `jurisdictions: ["GB","NO","FR"]` - multi-country fan-out when you are unsure. On clients that support MCP elicitation the server asks the user to confirm / edit your list before running; on others it returns an error telling you to ask in chat. **Per-tier caps** on how many distinct countries can be in `jurisdictions` (or searched in a 60-second window via repeated single calls): anonymous/free = 3, pro = 10, max = 30, enterprise = unlimited. **Prefer `jurisdiction` (singular) when in doubt; ask the user first.** The confirmation dialog around `jurisdictions` is a safety net, not a way to fan out silently. Follow-up tools (get_company_profile, list_filings, get_officers, etc.) do NOT count against the fan-out cap. Returns candidates with unified top-level fields (jurisdiction, company_id, company_name, status, status_detail, incorporation_date, registered_address) plus a `jurisdiction_data` object carrying the raw upstream fields verbatim. The `status` field is a coarse four-value enum (active / inactive / dissolved / unknown) safe for cross-country comparison; `status_detail` carries the registry's native status string. Per-country caveats (ID format, accepted input shapes, filter options, paid-tier gates, status taxonomy) are available on demand - call `list_jurisdictions({jurisdiction:"<code>"})` for full schema, or `list_jurisdictions({supports_tool:"search_companies"})` for the full country-support matrix. All registries are official government sources.
    Connector

  • generate_video

    Sats4AI - Bitcoin-Powered AI Tools

    Generate a video from a text prompt. Uses Kling v3 — cinematic quality, consistent motion, physics-aware rendering. Standard and pro quality modes with optional AI-generated audio track. Async — returns requestId, poll with check_job_status. Pricing: standard 300-400 sats/sec, pro 450-550 sats/sec (audio adds 100 sats/sec). Duration 3-15 seconds. Pay per request with Bitcoin Lightning — no API key or signup needed. Requires create_payment with toolName='generate_video' and duration, mode, generate_audio params.
    Connector

  • get_human_profile

    Human Pages

    Get a human's FULL profile including contact info (email, Telegram, Signal), crypto wallets, fiat payment methods (PayPal, Venmo, etc.), and social links. Requires agent_key from register_agent. Rate limited: PRO = 50/day. Alternative: $0.05 via x402. Use this before create_job_offer to see how to pay the human. The human_id comes from search_humans results.
    Connector

  • seo_audit

    ContrastAPI

    One-shot SEO audit of a domain's homepage with a 0-100 composite score + a `missing_signals` list of concrete fixes. Use BEFORE pitching SEO work to a prospect, when triaging a lead's marketing maturity, or as a structured pre-flight before deeper auditing tools (Lighthouse / SEMrush). 10 audit rules each worth 10 pts: title present, title length 30-60 chars (Google SERP truncation window), meta description present, meta description length 50-160, exactly one H1, canonical link, ≥3 OG tags, JSON-LD present, image alt-text coverage (proportional), HTTPS. Strictly homepage-only — we do NOT crawl the site. Ethical floor: target's robots.txt is honoured — `Disallow: /` for ContrastAPI OR `*` returns 403 `error.code = robots_txt_disallow` and we DO NOT fetch. `Cache-Control: no-store`/`private` skips our cache write (`cache_respected=false` in the response). Per-target eTLD+1 throttle (60 req/min) prevents weaponising via subdomain rotation. All target-derived strings/lists are `_untrusted`. Free: 100/hr, Pro: 1000/hr. Returns {domain, fetched_url, status_code, title_untrusted, meta_description_untrusted, canonical_url, h1_untrusted, h1_count, h2_count, h3_count, images_total, images_missing_alt, internal_link_count, external_link_count, og_tags, json_ld_present, score, missing_signals, cache_respected, summary}. Returns 502 on DNS/TCP/TLS failure; 403 `robots_txt_disallow` when the target opted out.
    Connector

  • open_task_dispute

    Molt2Meet

    Open a formal dispute on a task. When to use: you believe the operator's claim is unjustified, the proof is fraudulent, or there is breach of contract. Typically called after reject_task_review if the operator contests, or pro-actively when you spot misconduct. Mechanism: opening a dispute freezes all funds (locked balance stays locked) and triggers a platform investigation. The platform reviews both sides and decides the final settlement — full refund, full payout, or compromise. Funds remain frozen until the dispute is resolved. Typical resolution time: 1-3 days. Escalation alternative: if the dispute is taking longer than 3 days without resolution, call submit_support_request with type='billing_issue', severity='high', and relatedTaskId set — this flags the case for human support to expedite. Reason codes (same as reject_task_review): 1=WrongLocation, 2=InsufficientProof, 3=WrongTask, 4=Incomplete, 5=LowQuality, 6=SuspectedFraud, 7=OutsideTimeWindow, 8=MissingMandatoryEvent. Requires authentication. Next: monitor task.disputed → terminal state via get_task_events.
    Connector

  • architect.certify

    AI Design Blueprint

    Pro/Teams — second-pass adversarial certification of an architect.validate run that scored production_ready (A or B first-pass tier). Mints the certified production_ready badge when both reviewers sign off; caps the run to C/emerging when the second pass surfaces a missed production_blocker. WHEN TO CALL: only after architect.validate returned tier=production_ready AND the user wants the certified badge. NOT for tier=draft/emerging/not_applicable runs (typed rejections fire — see below). NOT idempotent across attempts: each call is one of the 3 attempts in the retry budget. BEHAVIOR: atomic one-shot single LLM call, ~60-150s server-side at high reasoning effort (small payloads finish faster). Exceeds typical MCP-client tool-call idle budget (~60s in Claude Code), so the FIRST notifications/progress event fires at t=0 carrying the run_id. The run is atomic by contract — no in_progress lifecycle, no cancellation, no resume. Updates the persisted run's result_json (public review URL + me.validation_history(run_id=...) reflect the cert outcome). ELIGIBILITY GATE (typed rejection enum on failure): caller must own the run, tier=production_ready, less than 24h old, not already certified, within cert retry budget (max 3 attempts), no other cert call in flight for the same run_id, and code fingerprint must match the validated code. Rejection reasons: auth_required, paid_plan_required, run_not_found, not_run_owner, not_eligible_tier, not_agentic_component (tier=not_applicable runs), already_certified, certification_age_exceeded, retry_budget_exhausted, code_fingerprint_mismatch, code_fingerprint_missing, run_state_corrupt, cert_persistence_failed, cert_in_flight (a prior architect.certify call on this run_id is still running. Poll me.validation_history for the verdict; do not retry until it resolves). INPUTS: re-send the SAME code that produced the run_id (the architect persists findings + recommendations, never code, by design — privacy-preserving). Server compares the submitted code's SHA-256 fingerprint to the stored fingerprint and rejects mismatches. Auth: Bearer <token>, Pro or Teams plan required. UK/EU data residency (Cloud Run europe-west2). Code processed transiently by OpenAI (no-training-on-API-data) and dropped; payloads JSON-escaped + delimited as inert untrusted data — prompt-injection inside code is ignored. RECOVERY: if your MCP client closes the tool-call early, recover the cert verdict via me.validation_history(run_id=<that-id>) once the server-side LLM call lands — same Bearer token, same pattern as architect.validate. If the cert call fails outright (provider error, persistence error), a fresh architect.certify is the recovery path; the eligibility gate enforces the 3-attempt retry budget. For long-running cert workflows the answer is to re-validate, not to make this tool stateful. OUTCOMES: certification_status ∈ {confirmed_production_ready (badge mints), downgraded_to_emerging (cert review surfaced a missed production_blocker, tier capped at C/emerging), unavailable_provider_error (LLM call failed, retry within budget)}. Cert findings + summary + attempt history surfaced on the persisted run for full inspectability.
    Connector

  • architect.certify

    AI Design Blueprint Doctrine

    Pro/Teams — second-pass adversarial certification of an architect.validate run that scored production_ready (A or B first-pass tier). Mints the certified production_ready badge when both reviewers sign off; caps the run to C/emerging when the second pass surfaces a missed production_blocker. WHEN TO CALL: only after architect.validate returned tier=production_ready AND the user wants the certified badge. NOT for tier=draft/emerging/not_applicable runs (typed rejections fire — see below). NOT idempotent across attempts: each call is one of the 3 attempts in the retry budget. BEHAVIOR: atomic one-shot single LLM call, ~60-150s server-side at high reasoning effort (small payloads finish faster). Exceeds typical MCP-client tool-call idle budget (~60s in Claude Code), so the FIRST notifications/progress event fires at t=0 carrying the run_id. The run is atomic by contract — no in_progress lifecycle, no cancellation, no resume. Updates the persisted run's result_json (public review URL + me.validation_history(run_id=...) reflect the cert outcome). ELIGIBILITY GATE (typed rejection enum on failure): caller must own the run, tier=production_ready, less than 24h old, not already certified, within cert retry budget (max 3 attempts), no other cert call in flight for the same run_id, and code fingerprint must match the validated code. Rejection reasons: auth_required, paid_plan_required, run_not_found, not_run_owner, not_eligible_tier, not_agentic_component (tier=not_applicable runs), already_certified, certification_age_exceeded, retry_budget_exhausted, code_fingerprint_mismatch, code_fingerprint_missing, run_state_corrupt, cert_persistence_failed, cert_in_flight (a prior architect.certify call on this run_id is still running. Poll me.validation_history for the verdict; do not retry until it resolves). INPUTS: re-send the SAME code that produced the run_id (the architect persists findings + recommendations, never code, by design — privacy-preserving). Server compares the submitted code's SHA-256 fingerprint to the stored fingerprint and rejects mismatches. Auth: Bearer <token>, Pro or Teams plan required. UK/EU data residency (Cloud Run europe-west2). Code processed transiently by OpenAI (no-training-on-API-data) and dropped; payloads JSON-escaped + delimited as inert untrusted data — prompt-injection inside code is ignored. RECOVERY: if your MCP client closes the tool-call early, recover the cert verdict via me.validation_history(run_id=<that-id>) once the server-side LLM call lands — same Bearer token, same pattern as architect.validate. If the cert call fails outright (provider error, persistence error), a fresh architect.certify is the recovery path; the eligibility gate enforces the 3-attempt retry budget. For long-running cert workflows the answer is to re-validate, not to make this tool stateful. OUTCOMES: certification_status ∈ {confirmed_production_ready (badge mints), downgraded_to_emerging (cert review surfaced a missed production_blocker, tier capped at C/emerging), unavailable_provider_error (LLM call failed, retry within budget)}. Cert findings + summary + attempt history surfaced on the persisted run for full inspectability.
    Connector

  • create_job_offer

    Human Pages

    Send a job offer to a specific human. IMPORTANT: Always confirm the price, task details, and payment method with the user before calling this tool — never create offers autonomously. The human gets notified via email/Telegram and can accept or reject. Requires agent_key from register_agent. Rate limit: PRO = 15/day. Prices in USD, payment method flexible (crypto or fiat, agreed after acceptance). After creating: poll get_job_status or use callback_url for webhook notifications. On acceptance, pay via mark_job_paid. Full workflow: search_humans → get_human_profile → create_job_offer → mark_job_paid → approve_completion → leave_review.
    Connector

  • kev_detail

    ContrastAPI

    Look up CISA KEV (Known Exploited Vulnerabilities) full record for a CVE. Returns federal patch deadline (due_date), CISA-specified required_action remediation, known ransomware association, vendor/product, the CISA-given common name (e.g. 'Log4Shell'), and CISA-reported CWE list. Returns 404 when the CVE is not in the KEV catalog — use cve_lookup for non-KEV CVEs. Best follow-up after cve_lookup or cve_search(kev=true) when an in_kev=true CVE is identified; chain with cwe_lookup on each returned CWE to investigate the weakness category. Free: 100/hr, Pro: 1000/hr. Returns {cve_id, vendor_project, product, vulnerability_name, date_added, due_date, required_action, known_ransomware_use, notes, cwes, verdict, next_calls}.
    Connector

  • buy_pro

    moltdj

    Buy a Pro subscription for $10 USDC (30 days). Requires authentication. This endpoint returns HTTP 402 with x402 payment instructions. Your x402-enabled HTTP client will handle the USDC payment automatically. After payment, you get Pro tier: 10 tracks/day, 2 episodes/week, analytics, and more.
    Connector

  • brave_summarizer

    brave

    Retrieves AI-generated summaries of web search results using Brave's Summarizer API. This tool processes search results to create concise, coherent summaries of information gathered from multiple sources. When to use: - When you need a concise overview of complex topics from multiple sources - For quick fact-checking or getting key points without reading full articles - When providing users with summarized information that synthesizes various perspectives - For research tasks requiring distilled information from web searches Returns a text summary that consolidates information from the search results. Optional features include inline references to source URLs and additional entity information. Requirements: Must first perform a web search using brave_web_search with summary=true parameter. Requires a Pro AI subscription to access the summarizer functionality.
    Connector

  • register_agent

    Human Pages

    Register a new agent on Human Pages. Returns an API key (hp_...) that you MUST save — it cannot be retrieved later. The agent is auto-activated on PRO tier (free during launch): 15 job offers/day, 50 profile views/day. Use the API key as agent_key in create_job_offer, get_human_profile, and other authenticated tools. Typical first step before hiring.
    Connector