htb-mcp-server
Provides an MCP (Model Context Protocol) server over stdio that exposes tools for interacting with the HackTheBox Labs API v4, including challenge/machine listing and management, flag submission, user profile/progress retrieval, and a server status health check.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Token is supplied via environment variable (good); README advises not committing tokens and claims sensitive info is not exposed in error messages. However, there is no explicit discussion of TLS enforcement in code/docs (implied by HTTPS base URL), no described fine-grained scopes, and no dependency/security audit information is provided.
⚡ Reliability
Best When
You want a local/agent-run MCP tool that standardizes HackTheBox API actions for LLM/agent workflows.
Avoid When
You need externally hosted HTTP APIs/webhooks, fine-grained per-user audit trails, or you cannot safely provide and protect the HTB token in the environment where the MCP process runs.
Use Cases
- • Use an AI assistant to list HackTheBox challenges and machines with filtering/pagination
- • Start HackTheBox machines and retrieve connection details/IPs for follow-on automation
- • Submit user/root flags for verification workflows
- • Fetch user profile and progress stats to guide learning
- • Search across HackTheBox content (challenges/machines/users)
- • Run an automated health check for the MCP/HTB integration
Not For
- • Direct browser-based access to HackTheBox (no native UI)
- • Highly sensitive operations without careful token handling/logging controls
- • Use cases requiring a public REST/GraphQL endpoint for remote clients (this is primarily MCP/stdio)
Interface
Authentication
Uses an HTB API token as Bearer auth to https://labs.hackthebox.com/api/v4. No OAuth flow described; scope/granularity details are not provided in the README.
Pricing
Pricing is not described for this package; costs would depend on HackTheBox account/API usage and your own hosting.
Agent Metadata
Known Gotchas
- ⚠ Flag submission and challenge/machine start actions may be non-idempotent; repeated calls could cause unintended state changes
- ⚠ Rate limiting exists and may require the agent to throttle; README suggests reducing request frequency/increasing RATE_LIMIT_PER_MINUTE but does not specify header-based backoff logic
- ⚠ Pagination/filtering arguments are described only at a high level; exact schemas/arg names are not included in the README excerpt
- ⚠ Health check mentions a curl to /health on localhost:3000, but the MCP server description indicates stdio transport; this discrepancy may confuse operators integrating MCP clients
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for htb-mcp-server.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-04-04.