caido-mcp-server
Provides an MCP server (stdio) and a CLI that let AI assistants or a terminal browse, replay, and analyze HTTP traffic through a local Caido proxy. Includes tools for proxy history queries, replaying requests, inspecting automate/fuzzing sessions, creating/listing security findings, and managing scopes/projects/workflows/intercept status.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
The tool uses OAuth device-flow and stores a token locally (path stated). TLS is implied/used for replay with a default tls=true, but the documentation does not clearly specify HTTPS-only enforcement for the Caido_URL. The README mentions response/body caps and token auto-refresh; however, it does not discuss least-privilege scopes for tokens, secret redaction in logs, or supply-chain/security hygiene (e.g., dependency vulnerability policy/CVE reporting). Additionally, the MCP tools enable sending arbitrary raw HTTP requests, which increases risk if exposed to untrusted agents/networks.
⚡ Reliability
Best When
You have a Caido instance running locally (or on a trusted network), and you want an MCP client/AI agent to interact with captured traffic in a structured way with token-based auth.
Avoid When
You need stable, high-throughput data transfer (default body limits) or you cannot control sensitive token storage/logging and network access to the local Caido instance.
Use Cases
- • Letting an MCP-capable AI assistant search Caido proxy history with HTTPQL and fetch request/response details
- • Replay and iterate on HTTP requests captured by Caido to validate behavior or reproduce issues
- • Automating security workflows by creating findings tied to requests and inspecting fuzzing/automation sessions
- • Inspecting discovered endpoints via the Caido sitemap and managing target scope definitions
Not For
- • Publicly exposing the MCP server to untrusted networks without additional network controls
- • Using as a general-purpose HTTP client unrelated to Caido proxy history/replay workflows
- • Handling large response bodies or high-volume replay without considering the default 2KB body caps
Interface
Authentication
Authentication is handled via OAuth device-flow; token auto-refresh is mentioned. Scope granularity for tokens is not described in the README.
Pricing
Project appears to be open-source tooling (MIT license). No pricing info is provided for the service itself.
Agent Metadata
Known Gotchas
- ⚠ Default response body cap of 2KB may truncate data; agents may need bodyOffset/bodyLimit or include parameters to avoid missing critical content.
- ⚠ Token refresh is said to occur mid-session, but troubleshooting indicates some refresh-token missing cases require re-login.
- ⚠ Replay polling may time out; README suggests calling get_replay_entry with returned entryId rather than repeated send immediately.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for caido-mcp-server.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.