MCP Server
import { Aside, Tabs, TabItem } from ‘@astrojs/starlight/components’;
What is the MCP Server
The MCP Server exposes all OSINT AI One capabilities via the Model Context Protocol, allowing any MCP-compatible client (Claude Desktop, VS Code with Continue, Cursor…) to use OSINT tools directly.
Unlike the CLI, you don’t need Ollama — the client’s model (Claude, GPT-4…) does the reasoning and decides which tools to call.
Starting the server
Configuration in Claude Desktop
Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{ "mcpServers": { "osint-agent": { "command": "osint-mcp", "args": [] } }}Restart Claude Desktop. You’ll see the OSINT tools available in the MCP panel.
The 44 MCP tools
OSINT and Reputation
| Tool | Description |
|---|---|
virustotal_ip_lookup | IP reputation in VirusTotal |
virustotal_domain_lookup | Domain reputation in VirusTotal |
virustotal_hash_lookup | Hash analysis in VirusTotal |
abuseipdb_check_ip | IP abuse score in AbuseIPDB |
alienvault_ip_lookup | Threat pulses in AlienVault OTX |
shodan_host_lookup | Exposed services in Shodan |
ipinfo_lookup | IP geolocation and context |
urlscan_lookup | Complete URL scan |
whois_lookup | Domain WHOIS information |
dns_lookup | DNS records |
crtsh_lookup | Subdomains via Certificate Transparency |
fetch_threat_feed | IOCs from live feeds |
Agent and Scoring
| Tool | Description |
|---|---|
investigate_ioc | Complete IOC investigation with ReAct agent |
get_risk_score | Risk score 0-100 for an IOC |
generate_report | Generate threat report for session IOCs |
classify_ioc | Classify threat type of an IOC |
list_available_feeds | List available threat feeds |
list_tools | List all registered OSINT tools |
Intelligence and Context
| Tool | Description |
|---|---|
gdelt_entity_search | News about an entity (GDELT) |
gdelt_topic_search | News about a topic (GDELT) |
gdelt_tone_analysis | Media tone analysis (GDELT) |
rss_news_search | General RSS feed search |
rss_security_news | Cybersecurity news |
rss_financial_news | Financial news |
get_crypto_prices | Cryptocurrency prices |
get_economic_indicator | Macroeconomic indicators |
acled_conflict_events | Conflict events by country |
get_country_risk_score | Country risk index |
ais_vessel_lookup | Vessel information by AIS |
ais_chokepoint_activity | Traffic at strategic maritime choke points |
check_entity_anomaly | Anomaly detection in mentions |
search_history | Search in investigation history |
Investigation Management
| Tool | Description |
|---|---|
create_investigation | Create new investigation |
list_investigations | List existing investigations |
get_investigation_summary | Investigation summary |
ingest_evidence | Ingest evidence (file or URL) |
add_entity | Add entity manually |
list_entities | List investigation entities |
add_claim | Register claim with traceability |
list_claims | List investigation claims |
verify_claim | Verify or dispute a claim |
semantic_search_evidence | Semantic search in evidences |
The 5 Resources
| URI | Description |
|---|---|
osint://feeds | Available threat feed sources |
osint://tools | All registered tools with description |
osint://history/{query} | Past investigation results for an IOC |
osint://investigations | List of all investigations |
osint://investigation/{slug} | Details of a specific investigation |
The 3 Prompts
Pre-built prompts for common use cases:
| Prompt | Description |
|---|---|
investigate_ip | Complete template for investigating an IP |
investigate_domain | Complete template for investigating a domain |
investigate_url | Complete template for investigating a URL |
Environment variables for MCP
MCP_TRANSPORT=stdio # stdio or streamable-httpMCP_HTTP_PORT=8080 # Port for streamable-http