mythic_mcp

Provides a proof-of-concept MCP server wrapper (Python) intended to integrate Mythic with an MCP client (e.g., Claude Desktop) to enable automated pentesting workflows.

Evaluated Mar 30, 2026 (21d ago)
Repo ↗ DevTools mcp mythic pentesting red-teaming python llm-integration
⚙ Agent Friendliness
25
/ 100
Can an agent use this?
🔒 Security
18
/ 100
Is it safe for agents?
⚡ Reliability
25
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
35
Documentation
40
Error Messages
0
Auth Simplicity
20
Rate Limits
0

🔒 Security

TLS Enforcement
20
Auth Strength
15
Scope Granularity
10
Dep. Hygiene
45
Secret Handling
5

The README suggests Mythic admin credentials are passed as command-line arguments to start the MCP server. This is commonly risky (may leak via shell history/process table). No documentation is provided about transport security (TLS), MCP auth, scope/permission controls, audit logging, or operational hardening. Dependency list includes external packages but no vulnerability posture or pinned versions are shown.

⚡ Reliability

Uptime/SLA
0
Version Stability
40
Breaking Changes
40
Error Recovery
20
AF Security Reliability

Best When

Used in a controlled lab environment where the operator can tightly manage access to the Mythic backend and the MCP client host.

Avoid When

Avoid when you cannot control where the MCP server will run, who can send commands, and how Mythic credentials/operations are secured.

Use Cases

  • Security team demos of LLM-assisted red teaming via an MCP client
  • Internal evaluation of Mythic automation triggered through MCP tools
  • Building/testing an MCP integration around Mythic

Not For

  • Production deployment without significant hardening and operational safeguards
  • Public/unauthenticated exposure to untrusted users or networks
  • Compliance-sensitive environments without documented security posture

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: Mythic backend connection using an admin username/password (as shown in the MCP client command args)
OAuth: No Scopes: No

The README indicates passing Mythic admin credentials as command-line arguments to start the server. No evidence is provided of MCP-level auth, scoped permissions, or credential exchange best practices.

Pricing

Free tier: No
Requires CC: No

No pricing information provided.

Agent Metadata

Pagination
none
Idempotent
False
Retry Guidance
Not documented

Known Gotchas

  • The MCP server appears to be a POC demo; tool schemas, safety constraints, and failure-mode behaviors are not documented here.
  • Mythic admin credentials are supplied via command args, which may expose secrets in process listings/logs.
  • No rate-limit or retry/backoff behavior is documented for the MCP tools or Mythic interactions.

Alternatives

Use Mythic directly with its native interface/automation (without an MCP layer) Build a more robust MCP adapter with least-privilege auth and strong audit logging Use other task-runner integrations that provide clearer contracts and safety controls (role-guarded actions)

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for mythic_mcp.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-30.

8642
Packages Evaluated
17761
Need Evaluation
586
Need Re-evaluation
Community Powered