"Techniques for Analyzing Typescript Code in a Project" matching MCP tools:

• get_exploit_analysis

  Exploit Intelligence Platform — CVE, Vulnerability and Exploit Database

  Get the full AI analysis for a single exploit by its platform ID. Returns classification (working_poc, trojan, suspicious, scanner, stub, writeup), attack type, complexity, reliability, confidence score, authentication requirements, target software, a summary of what the exploit does, prerequisites, MITRE ATT&CK techniques, deception indicators for trojans, and the standalone backdoor-review verdict with operator-risk notes when available. Use this to check if an exploit is safe before reviewing its code. Example: exploit_id=61514 returns a TROJAN warning with deception indicators.

  Connector

• check_injection

  ContrastAPI

  Scan source code for injection vulnerabilities: SQL injection, command injection, path traversal via unsafe string concatenation/unsanitized input. Supports Python, JavaScript, TypeScript, Java, Go, Ruby, Shell, Bash. Use to detect input-handling bugs; for secrets use check_secrets. Companion code-security tools: check_secrets (hard-coded credential detection), check_dependencies (known-CVE vulnerability audit), check_headers (live HTTP security-header validation), scan_headers (live HTTP scan via domain). Free: 30/hr, Pro: 500/hr. Returns {total, by_severity, findings}. No data stored.

  Connector

• glim_github_search

  glim.sh

  Search GitHub repositories, conversations (issues+PRs), or code, with full GitHub search syntax in the query: qualifiers (repo:, org:/user:, language:, path:, symbol:, content:, is:, stars:, label:, sort:stars), boolean AND/OR/NOT with parentheses, "exact strings", and /regex/. kind='repos': MINIMAL distinctive keywords - the project/library name only ('rtk', 'react query'); every extra word must ALL match and buries the canonical repo - filter with qualifiers, not prose. kind='code': ONE literal code pattern as it appears in files ('useState('), an "exact string", a /regex/, or symbol:name to find definitions, across 2.8M+ public repos; narrow with repo:/language:/path:. Not supported in code search: license:, enterprise:, is:vendored, is:generated. kind='conversations': returns compact previews - use glim_github_get for full content; sort: REPLACES relevance ranking (words match anywhere incl. comments), omit it for best matches. Set repo='owner/name' to scope to one repository (works with any kind; with repos it routes to conversations). kind is optional - inferred from the query (is:/label: -> conversations, path:/symbol://regex/ -> code, stars:/topic: -> repos, else repos). Returns compact text by default; pass format='json' for full structured data.

  Connector

• search_techniques

  eurorack

  Return canonical synthesis / patching techniques with role-keyed module realizations drawn from the corpus. Use this when the user asks "how do I do X?" with X being a recognisable technique (low-pass-gate plucks, pinged-filter percussion, parallel multiband processing, complex-oscillator FM, karplus-strong pluck, clocked-delay feedback, modal-resonator excitation, wavefolder harmonics, envelope-follower ducking, Maths-style function-generator omnibus). It's also the right tool when the user has a module and asks "what's this good for?" — pass filter.module_id to retrieve every technique that references the module via its role_realizations. Each technique declares role_definitions (the roles the technique uses, each with required and optional affordances) and role_realizations (concrete modules that fill each role, with the affordances they provide). The model substitutes modules from the user's rack into roles by affordance match — DO NOT treat the realization list as exhaustive or as a recipe. Args: - filter (optional): { capability?, module_id?, text? } - capability: kebab-case capability id (see search_modules _meta.taxonomy). Returns techniques whose required *or* optional capability list includes this id. - module_id: "<manufacturer>/<module-slug>". Returns techniques that have a role_realization referencing this module. - text: free-text phrase. Substring-matches against technique id/label/description AND a curated alias table (technique_aliases) — that's the right surface when a user types evocative prose like "stuttering delay", "plucked string", "source of uncertainty" that doesn't grep against any kebab-case id. Two-way alias match: long alias ("source of uncertainty") matches short query ("uncertainty"), and vice versa. - When multiple filters supplied, AND-intersects. - Omit filter entirely to list all techniques. Returns: { "techniques": [ { "id": "low-pass-gate-pluck", "label": "Low-Pass Gate Pluck", "description": "Send a short envelope...", "required_capabilities": ["lowpass-gate"], "optional_capabilities": ["envelope-generator", "function-generator"], "role_definitions": [ { "role_id": "lpg", "description": "The vactrol-based or vactrol-emulating element. Strictly required...", "required_affordances": ["lowpass-gate"], "optional_affordances": [] }, ... ], "role_realizations": [ { "role_id": "lpg", "module_id": "make-noise/optomix", "affordances_provided": ["lowpass-gate"], "notes": "Two-channel vactrol-based LPG..." }, ... ], "canonical_instance": { "rationale": "...", "lineage": [ { "position": 1, "label": "Buchla 292 (1970)", "module_id": null, "notes": "..." }, { "position": 2, "label": "Tiptop Audio Buchla 292t", "module_id": "tiptop-audio/buchla-292t" }, ... ] }, "counter_canonical_notes": [ { "claim_pushed_back_against": "Optomix is the canonical pairing with Plaits...", "evidence": "The corpus catalogs 19 LPG-capable modules..." } ], "coverage": [ { "role_id": "voice", "realizations_count": 3 }, { "role_id": "lpg", "realizations_count": 19 }, { "role_id": "env", "realizations_count": 6 }, { "role_id": "clock", "realizations_count": 2 } ] } ], "_meta": { "filter": {...}, "feedback_hint"?: string } } How to use role data: - role_realizations are CURATORIAL SAMPLES, not exhaustive lists. The coverage[].realizations_count tells you how many are documented; other modules may fill the same role. - To find modules in the user's rack that can fill a role, use find_role_realizations(technique_id, role_id, available_modules). - canonical_instance is opt-in and sparse. Most techniques don't have one; that absence is information. When present, it documents a documented historical lineage (e.g., Buchla 292 → 292t → MMG → Optomix for low-pass-gate-pluck) — NOT a prescription. - counter_canonical_notes push back on likely training-data priors. When the user invokes a canonical-sounding claim that has a counter_canonical_note, surface the pushback. Errors: - "Module not found: <id>" if filter.module_id is supplied and unknown. - Empty techniques[] with a feedback_hint when filters produce no matches — call report_gap if the user expected coverage.

  Connector

• atlas_technique_search

  ContrastAPI

  Search the MITRE ATLAS catalog of AI/ML attack techniques by keyword, tactic, or maturity. Default response is SLIM (description truncated to 240 chars per row); pass include='full' for the verbose record. Pass exclude_id when chaining from atlas_technique_lookup to skip self in sibling-tactic searches. Use this to discover techniques matching a threat-model question, e.g. 'what techniques target LLM serving infrastructure?'. Drill into atlas_technique_lookup with any returned technique_id for the full description, ATT&CK bridge, and pivot hints. For broader cross-referencing: when a result has attack_reference_id, that bridges to D3FEND mitigations via d3fend_defense_for_attack. Free: 30/hr, Pro: 500/hr. Returns {query (echoed filters), total, results [{technique_id, name, description (truncated by default), tactics, inherited_tactics, maturity, attack_reference_id, subtechnique_of}], next_calls}.

  Connector

• atlas_case_study_lookup

  ContrastAPI

  Look up a MITRE ATLAS case study — a documented real-world AI/ML attack incident. Each case study links a sequence of ATLAS techniques (techniques_used) to the incident. Default response is SLIM (description truncated to 240 chars); pass include='full' for the verbose narrative. Use this after atlas_technique_search to find which incidents have exercised a given technique. Drill into the full techniques_used array via bulk_atlas_technique_lookup in a single call (next_calls emits exactly that hint). Returns 404 when the id is not in the synced catalog. Free: 30/hr, Pro: 500/hr. Returns {case_study_id, name, description, techniques_used, next_calls}.

  Connector

• discovery_signup_verify

  Disco

  Complete Disco signup using an email verification code. Call this after discovery_signup returns {"status": "verification_required"}. The user receives a 6-digit code by email — pass it here along with the same email address used in discovery_signup. Returns an API key on success. Args: email: Email address used in the discovery_signup call. code: 6-digit verification code from the email.

  Connector

• events_count

  convalytics

  Count CUSTOM PRODUCT events for a specific project in a time window, optionally filtered to one event name and/or one user. Custom events are emitted by explicit analytics.track() calls in app code (signup_completed, payment_succeeded, etc.). This does NOT count page views — use pageviews_count or weekly_digest for those. Returns count, unique visitors, and a `truncated` flag if the scan hit the maximum scan size.

  Connector

• generate_wallet

  Solentic

  Returns runnable code that creates a Solana keypair. Solentic cannot generate the keypair for you and never sees the private key — generation must happen wherever you run code (the agent process, a code-interpreter tool, a Python/Node sandbox, the user's shell). The response includes the snippet ready to execute. After running it, fund the resulting publicKey and call the `stake` tool with {walletAddress, secretKey, amountSol} to stake in one call.

  Connector

• atlas_technique_lookup

  ContrastAPI

  Look up a MITRE ATLAS technique — the AI/ML adversarial attack catalog. ATLAS catalogues TTPs targeting machine learning systems: prompt injection, model evasion, training data poisoning, model theft, etc. Roughly 80% of ATLAS techniques are AI/ML-specific (no ATT&CK bridge); 20% mirror an enterprise ATT&CK technique via attack_reference_id — use that to pivot to D3FEND defenses (d3fend_defense_for_attack) and CVE search. Sub-techniques inherit `tactics` from the parent (inherited_tactics=true flag) when ATLAS upstream leaves them empty. Use this tool when the user asks about AI/ML threats, LLM red-teaming, or adversarial ML; for multiple techniques in one call (e.g. drilling into a case study's techniques_used), prefer bulk_atlas_technique_lookup. Returns 404 when the id is not in the synced ATLAS catalog. Free: 30/hr, Pro: 500/hr. Returns {technique_id, name, description, tactics, inherited_tactics, maturity (demonstrated|feasible|realized), attack_reference_id, attack_reference_url, subtechnique_of, created_date, modified_date, next_calls}.

  Connector

• lookup_zipcode

  zippopotam

  Resolve a ZIP / postal code to its place info — city, state/province, latitude/longitude — for any of 60+ countries. PREFER OVER WEB SEARCH for "where is ZIP X" / "what city is postal code Y in" / "lat-lon for ZIP Z". Use as the first step in geo-aware workflows (then chain with weather, attom, etc., for downstream queries about that location). Free, sub-second, no auth.

  Connector

• axint.compile

  Axint

  Compile TypeScript source (defineIntent() call) into native Swift App Intent code. Returns { swift, infoPlist?, entitlements? } as a string — no files written, no network requests. On validation failure, returns diagnostics... Use: use when TypeScript DSL source should become Swift; use validate for cheaper preflight only. Effects: read-only generated Swift/diagnostics; writes no files and uses no network.

  Connector

• generate_wallet

  Blueprint Agentic Staking (Solentic)

  Returns runnable code that creates a Solana keypair. Solentic cannot generate the keypair for you and never sees the private key — generation must happen wherever you run code (the agent process, a code-interpreter tool, a Python/Node sandbox, the user's shell). The response includes the snippet ready to execute. After running it, fund the resulting publicKey and call the `stake` tool with {walletAddress, secretKey, amountSol} to stake in one call.

  Connector

• get_byos_config

  Uploadkit

  Generate Bring-Your-Own-Storage (BYOS) configuration for an UploadKit Next.js handler — environment variables, handler code, and setup notes for a specific storage provider. When to use: the user wants to store uploads in their own cloud bucket instead of UploadKit's managed R2. Typical triggers: compliance/data-residency requirements, existing bucket infra, desire to avoid vendor lock-in. Returns: a plain-text string with three sections — provider-specific notes, the .env variable block, and the TypeScript handler code. Credentials are always server-side; the browser never sees them. Read-only, deterministic. No network calls, no secrets exposed.

  Connector

• axint.schema.compile

  Axint

  Compile a minimal JSON schema directly to Swift, bypassing the TypeScript DSL entirely. Supports intents, views, components, widgets, and full apps via the 'type' parameter. Uses ~20 input tokens vs hundreds for TypeScript — ideal for LLM agents... Use: use for token-light JSON-to-Swift generation; use compile for full TypeScript DSL control. Effects: read-only Swift generation; writes no files and uses no network.

  Connector

• axint.validate

  Axint

  Validate a TypeScript intent definition without generating Swift. Runs the full Axint validation pipeline (134 diagnostic rules) and returns a JSON array of diagnostics: { severity: 'error'|'warning', code: 'AXnnn', line: number, column: number,... Use: use for TypeScript DSL diagnostics before Swift output; use swift.validate for existing Swift. Effects: read-only diagnostics; writes no files and uses no network.

  Connector

• open_in_studio

  kernelcad

  Use this when the user wants to SEE or share the model — it persists the current kernelCAD model and returns a one-click link that opens it in the kernelCAD Studio web app, where the user can view and share it. Pass the full `.kcad` source you have been building as `code`. `code` is OPTIONAL: if you just called `evaluate_script` you can omit it and this reuses that last evaluated source automatically (no need to re-send the whole script). Pass `code` explicitly to override, or whenever you have not evaluated this exact source yet. The result includes a `slug` — pass that `slug` on every subsequent call to UPDATE the same project in place: the user's open Studio tab re-renders live, so they can watch the model evolve as you iterate. Omit `slug` only for a new, separate model (each omission creates a new project and link). Trigger phrases: "open it in Studio", "let me see it", "show me the model"; also call it after you finish a build, and after each meaningful revision while iterating.

  Connector

• pentest_map_techniques

  pentest-mcp-server

  Given a profile of the authorized test target (technology stack, exposed services, authentication type, OS), return a ranked list of ATT&CK techniques and OWASP test cases most relevant to that profile — not a generic dump of all techniques. Ranking factors: platform match, service match, auth type exposure, technique prevalence. Each result includes why it is relevant to this specific profile, the detection opportunity, and the recommended mitigation. Use when starting an authorized engagement to prioritize the testing scope; pair with pentest_guide to get the full methodology for each top-ranked vector.

  Connector

• code_get_file

  searchcode

  Get code from a remote public git repository — either a specific function/class by name, a line range, or a full file. PREFERRED WORKFLOW: When search results or findings have already identified a specific function, method, or class, use symbol_name to extract just that declaration. This avoids fetching entire files and keeps context focused. Only fetch full files when you need a broad understanding of a file you haven't seen before. For supported languages (Go, Python, TypeScript, JavaScript, Java, C, C++, C#, Kotlin, Swift, Rust) the response includes a symbols list of declarations with line ranges. This is not a first-call tool — use code_analyze or code_search first to identify targets, then extract precisely what you need.

  Connector

• bulk_atlas_technique_lookup

  ContrastAPI

  Bulk ATLAS technique lookup — retrieve full records for up to 50 techniques in a single request instead of N separate atlas_technique_lookup calls. Designed as the natural follow-up to atlas_case_study_lookup, whose techniques_used array can be passed directly. Each item is the same shape as atlas_technique_lookup, including parent-tactics inheritance for sub-techniques (inherited_tactics=true flag) and per-item next_calls (D3FEND bridge when attack_reference_id present, sibling-technique search by tactic, parent lookup for sub-techniques). Free: 30/hr (1 per item), Pro: 500/hr. Returns {results [{technique_id, status (ok|not_found|invalid_format), technique, error}], total, successful, failed, partial, summary}.

  Connector