UltraProbe
UltraProbe
README
MISP MCP Server
A Model Context Protocol server for MISP (Malware Information Sharing Platform), with built-in prompt injection defense powered by prompt-defense-audit.
Why this exists: MISP holds operational threat intel β IOCs, threat actor profiles, attack patterns. When you connect an LLM agent to MISP via MCP, two new attack surfaces emerge:
- Adversarial seeding. A threat actor who can submit content into your MISP instance (or a federated feed) can plant prompt-injection payloads designed to hijack downstream LLM agents.
- Sensitive intel leakage. A manipulated LLM can be coerced into returning intel above its authorized TLP level.
This server wraps every outgoing MISP response in
prompt-defense-audit's output scanner, blocking high-risk patterns before they reach the LLM. Read-only by design β no write tools exposed.
Tracks: MISP/MISP#10745 β MCP server for MISP
Features
- π‘οΈ Defense built in β every MISP response scanned for prompt-injection / XSS / shell-injection patterns before being returned
- π Read-only by design β no event/attribute mutation tools; an LLM cannot modify your threat-intel platform
- π§° 8 high-utility tools covering events, attributes, search, tags, feeds, galaxies
- β‘ Zero-config beyond
MISP_URLandMISP_API_KEY - πͺΆ Stdio transport β works with Claude Desktop, Cursor, Continue, Cline, any MCP client
- π MIT license β fork freely, use commercially
Quick start
1. Install
npm install -g @ultralab/misp-mcp-server
Or use npx directly in your MCP client config (no install needed).
2. Configure your MCP client
Claude Desktop (~/Library/Application Support/Claude/claude_desktop_config.json on macOS, %APPDATA%/Claude/claude_desktop_config.json on Windows):
{
"mcpServers": {
"misp": {
"command": "npx",
"args": ["-y", "@ultralab/misp-mcp-server"],
"env": {
"MISP_URL": "https://misp.your-org.example",
"MISP_API_KEY": "your_misp_api_key_here"
}
}
}
}
Cursor / Continue / Cline β similar pattern, see your client's MCP config docs.
3. Restart your MCP client and start asking
"What MISP events are tagged tlp:white from the last 7 days?"
"Show me event 12345 β I'm investigating a phishing report."
"What threat actor galaxies do we have configured?"
"Find all attributes matching the IP 198.51.100.42."
Tools exposed
| Tool | Purpose |
|---|---|
misp_version |
Health check + server version |
misp_list_events |
Paginated event headers |
misp_get_event |
Full event with attributes (scanned for injection) |
misp_search_events |
Search by tag / type / value / date range |
misp_search_attributes |
Direct IOC lookup |
misp_list_tags |
All configured tags (TLP, taxonomy, etc.) |
misp_list_feeds |
Configured threat-intel feeds |
misp_list_galaxies |
Threat actor / campaign clusters |
Mutation tools intentionally not included. An LLM with write access to MISP is a supply-chain compromise vector. If you need agent-driven MISP mutations, build a per-tool allowlist with human-in-the-loop confirmation.
Defense layer
Every tool response is run through prompt-defense-audit's scanOutput before being returned to the LLM client.
High-risk patterns (critical / high severity) β response is blocked and replaced with a safe summary. Example trigger patterns:
- Script-tag injection (
<script>...</script>) - Iframe / object injection
- JavaScript URLs (
javascript:) - Shell-command patterns in unexpected contexts
- Known prompt-injection vector signatures from
prompt-defense-audit's 17+ vector library
Low/medium-risk patterns β response annotated with a [defense] prefix listing matched patterns but still returned.
Opt out (not recommended)
PROMPT_DEFENSE_DISABLED=true
Use only if you fully trust your MISP instance + all federated feeds and need raw response fidelity for a specific debugging scenario.
Environment variables
| Variable | Required | Default | Notes |
|---|---|---|---|
MISP_URL |
β | β | Base URL of your MISP instance (e.g. https://misp.example.com) |
MISP_API_KEY |
β | β | MISP automation API key (Profile β Auth Keys) |
MISP_INSECURE_TLS |
β | false |
Set to true only for self-signed dev instances |
PROMPT_DEFENSE_DISABLED |
β | false |
Set true to skip output scanning (NOT recommended) |
For enterprise users
The free OSS defense layer ships with prompt-defense-audit (17+ regex-based vectors, ~3ms latency, deterministic).
For deployments that need:
- π Persistent audit logs of every MISP query an LLM has made
- π₯ Team policies (per-role allowlists, per-TLP gating, escalation flows)
- π Jurisdictional compliance (EU GDPR / TW εθ³ζ³ / δΈε PIPL data-residency)
- π¨ Live threat intel updates to the defense ruleset (new injection vectors pushed daily)
- π SLA-backed uptime and response
β Upgrade path: route MCP server through Quartz Cloud β Taiwan-domiciled runtime AI firewall, drop-in passthrough.
Development
git clone https://github.com/ppcvote/misp-mcp-server.git
cd misp-mcp-server
npm install
npm test # smoke tests, no live MISP
npm run dev # tsx watch mode
npm run build # produce dist/
Architecture
LLM client (Claude Desktop, Cursor, etc.)
β stdio
βΌ
@ultralab/misp-mcp-server
β
ββ src/tools.ts β 8 read-only tool definitions + dispatch
ββ src/misp-client.ts β minimal MISP REST API wrapper
ββ src/index.ts β MCP Server + scanOutput() defense layer
β
βΌ
MISP REST API (/events, /attributes, /tags, /feeds, /galaxies)
Project context
Built by Ultra Lab β a one-person AI products company in Taiwan, focused on AI safety, threat intel, and the supply chain between LLM agents and operational security tooling.
This server is part of a broader thesis: the MCP ecosystem will be a major prompt-injection vector unless servers default to defensive output handling. We're shipping reference implementations for high-leverage targets (MISP first, OpenCTI / TheHive / Vault next) to anchor the standard.
Companion projects:
prompt-defense-auditβ the underlying detection engineultraprobeβ CLI scanner for AI app system promptsquartz.twβ paid runtime firewall (audit logs, team policies, jurisdictional moat)
License
MIT Β© 2026 Ultra Lab β see LICENSE.
Contributing
PRs welcome. Please:
- Keep the read-only invariant. Mutation tools must be argued explicitly with a threat-model writeup.
- Add a test for any new tool.
- If you add new MISP API coverage, link to the relevant OpenAPI spec section in your PR.
For discussion, see MISP/MISP#10745.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.