HALO (GEMMA-by-GOOGLE)

HALO (GEMMA-by-GOOGLE)

An MCP server providing AI-powered cybersecurity, penetration testing, reconnaissance, vulnerability assessment, and security automation tools through the Model Context Protocol.

Category
Visit Server

README

<img width="1021" height="720" alt="HALO banner" src="https://github.com/user-attachments/assets/90e5df6a-487a-45f7-b42b-35b1948a3519" />

<img width="1200" height="783" alt="HALO cover" src="https://github.com/user-attachments/assets/fe9aafc5-294b-43f5-b20f-4ff1305bf0d8" />

<div align="center">

πŸ” GEMMA-by-GOOGLE β€” HALO

A fully local, autonomous AI penetration-testing agent β€” Gemma 4-12B driving a 29-tool arsenal through recon, attack, and reporting, exposed as a standard Model Context Protocol (MCP) server. No cloud, no API keys.

What It Does Β· Tools Β· Architecture Β· Stack Β· Quickstart Β· Contributing

License Python Tools LM Studio Platform PRs Welcome GEMMA-by-GOOGLE MCP server

</div>


HALO is an autonomous security agent that runs inside a Linux environment driven by a local LLM β€” Gemma 4-12B (uncensored / abliterated) served through LM Studio. It plans, runs reconnaissance, chains attacks based on what it finds, and writes a professional pentest report on its own. Everything runs locally: no cloud, no API keys, nothing leaves your machine.

One word starts an engagement: engage.


What It Does

  • πŸ” Autonomous recon β€” masscan + nmap to discover open ports and services
  • βš”οΈ Autonomous attack loop β€” selects and chains tools based on what it finds
  • 🧠 Persistent negative-experience cache β€” learns what fails across all sessions and stops wasting cycles on proven dead ends
  • 🧩 Adaptive skill injection β€” loads relevant attack playbooks into the prompt based on the current goal
  • πŸ“ Automatic HTML reports β€” compiles findings into a branded report on exit
  • πŸ”’ 100% local β€” Gemma 4-12B in LM Studio; nothing leaves your machine

Tool Arsenal

29 tools sit behind the agent's decision loop, all routed through the same failure-caching layer. They are defined once in the TOOLS schema registry in halo_tools.py and served over both transports (MCP and HTTP).

Recon & OSINT

Tool Purpose
run_subfinder Subdomain enumeration
run_httpx HTTP probing and fingerprinting
run_katana Web crawling
run_sherlock Username OSINT across 90+ platforms
run_shodan Internet-exposure intelligence lookups
run_phoneinfoga Phone-number OSINT
run_cloudfox Cloud-infrastructure enumeration
run_wafw00f WAF / security-solution fingerprinting

Scanning

Tool Purpose
run_masscan Fast port discovery
run_nmap Deep service/version scanning
run_nikto Web vulnerability scanning
run_nuclei Template-based vulnerability scanning
run_netstat Network connection analysis

Web & Fuzzing

Tool Purpose
run_gobuster Web directory brute forcing
run_ffuf Web fuzzing
run_curl HTTP request testing
run_wget File retrieval

Exploitation

Tool Purpose
run_sqlmap SQL injection testing
run_searchsploit Exploit lookup
run_exploit Sandboxed execution of custom PoC scripts
run_setoolkit Social-engineering toolkit

Credentials

Tool Purpose
run_hydra Credential brute forcing
run_ncrack Network authentication cracking
run_medusa Fast parallel brute forcing
run_john Hash cracking

Enumeration & System

Tool Purpose
run_enum4linux SMB / Samba enumeration
run_command Arbitrary command execution
read_file Read file contents
write_file Write output to files

Architecture

A single tool engine (halo_tools.py) owns the arsenal and its schemas; two thin transports sit on top of it, so the tools are defined exactly once:

   agent_loop.py ──HTTP──►  tool_server.py ─┐
                                            β”œβ”€β–Ί  halo_tools.py  ──►  security tools
   MCP clients  ──stdio─►  mcp_server.py  β”€β”€β”˜   (29-tool engine +
                                                 schema registry)
     β”‚
     β”œβ”€β”€β–Ί  agent_cache.py         (persistent negative-experience cache)
     β”œβ”€β”€β–Ί  skills.py              (adaptive playbook injection)
     └──►  report_generator.py    (auto HTML pentest report on exit)
  • mcp_server.py β€” a spec-compliant Model Context Protocol server (stdio, JSON-RPC 2.0). Point any MCP client (Claude Desktop, IDE agents, inspectors) or an MCP registry at it to use HALO's arsenal as standard tools.
  • tool_server.py β€” the local Flask HTTP tool server (port 8000) the autonomous agent loop drives.

Use HALO as an MCP server

// e.g. an MCP client config
{
  "mcpServers": {
    "halo": { "command": "python3", "args": ["/abs/path/to/mcp_server.py"] }
  }
}

A ready-to-submit registry manifest lives in server.json.

Multi-agent layer

Engagements are coordinated by a set of specialist agents that pass a shared message schema (agent_schema.py):

Agent Role
planner_agent.py Turns a goal into an ordered plan
orchestrator_agent.py Routes tasks to the right specialist
vuln_discovery_agent.py Surfaces candidate vulnerabilities
attacker_agent.py Branches into vuln-class specialists (SQLi, brute force, IDOR, SSRF, XSS, auth)
validator_agent.py Confirms findings against real evidence before they count
debugger_agent.py Diagnoses failed tool runs and adjusts

Sovereign Agent Layer

The negative-experience cache fingerprints every tool call. A call that fails gets one retry; fail twice and it is blacklisted, so the agent moves on to a more practical tool for the job. Over an engagement the agent structures its own trial-and-error learning β€” building context, avoiding repeated dead ends, and escalating intelligently β€” rather than re-running what it has already proven doesn't work.


How It Was Built

HALO was built solo, from the ground up, in under six months by a self-taught developer and security researcher. The multi-agent core came together one specialist at a time, each verified against a real target before moving on:

  • Day 1 β€” Shared language: a common message schema (agent_schema.py) so the agents can talk to each other
  • Day 2 β€” Planner: turns a goal into an ordered plan, verified against live LM Studio
  • Day 3 β€” Orchestrator: routes each task to the right specialist
  • Day 4 β€” Vuln Discovery: surfaces candidate vulnerabilities, tested against a live Metasploitable target
  • Day 5 β€” Attacker: branches into SQLi / brute-force / IDOR / SSRF / XSS / auth specialists
  • Day 6 β€” Debugger: diagnoses failed tool runs and adjusts
  • Validator + reporting: findings are confirmed against real evidence before they count, then compiled into a client-readable report

From there the arsenal grew to 29 tools, and the negative-experience cache turned trial-and-error into persistent learning across sessions. Active development continues β€” new capabilities are pushed regularly.


Stack

  • Model: Gemma 4-12B Instruct Abliterated (GGUF via LM Studio) β€” works with any local model of your choosing
  • Agent: Python autonomous loop with MCP tool calls
  • Tool transports: a Model Context Protocol server (stdio) for MCP clients, plus a Flask HTTP tool server on port 8000 for the agent loop
  • OS: Kali Linux (tested under UTM on Apple Silicon M1)
  • Hardware reference: MacBook Pro M1, 16 GB RAM

Quickstart

See docs/QUICKSTART.md for full setup. In short:

git clone https://github.com/XenoCoreGiger31/GEMMA-by-GOOGLE.git
cd GEMMA-by-GOOGLE
python3 -m pip install -r requirements.txt

python3 tool_server.py      # terminal 1 β€” HTTP tool server on port 8000
python3 agent_loop.py       # terminal 2 β€” the agent

>>> engage 192.168.64.3     # full autonomous recon + attack
>>> run nmap on 10.0.0.1    # single-goal query
>>> exit                    # triggers HTML report generation

Note: endpoints and paths default to a standard local setup (LM Studio on localhost:1234, HTTP tool server on localhost:8000). Override any of them with the HALO_* environment variables β€” see the environment overrides table. A few author-specific log/cache path defaults remain in agent_cache.py and tool_server.py; the env vars cover those too.


Contributing

Contributions from the security, AI, and Python communities are welcome β€” see CONTRIBUTING.md. Star the repo if it's useful to you, or open a PR and let's build something together.

Actively developed by an independent, self-taught developer and security researcher. New capabilities are pushed regularly.


Disclaimer & Legal

This is a community project by an independent developer. It is not affiliated with, endorsed by, or sponsored by Google LLC. "Gemma" is a trademark of Google LLC.

⚠️ Content warning: The referenced model is heavily abliterated and will respond to sensitive requests without the usual guardrails. Use responsibly, in appropriate environments only.

πŸ”’ Legal warning: This tool is intended strictly for authorized penetration testing and security research on systems you own or have explicit written permission to test. Unauthorized use is illegal.

License

Released under the MIT License.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured