{"id":"c0tton-fluff-caido-mcp-server","name":"caido-mcp-server","homepage":null,"repo_url":"https://github.com/c0tton-fluff/caido-mcp-server","category":"security","subcategories":[],"tags":["mcp","caido","http-traffic","proxy","replay","pentest","security","go","cli"],"what_it_does":"Provides an MCP server (stdio) and a CLI that let AI assistants or a terminal browse, replay, and analyze HTTP traffic through a local Caido proxy. Includes tools for proxy history queries, replaying requests, inspecting automate/fuzzing sessions, creating/listing security findings, and managing scopes/projects/workflows/intercept status.","use_cases":["Letting an MCP-capable AI assistant search Caido proxy history with HTTPQL and fetch request/response details","Replay and iterate on HTTP requests captured by Caido to validate behavior or reproduce issues","Automating security workflows by creating findings tied to requests and inspecting fuzzing/automation sessions","Inspecting discovered endpoints via the Caido sitemap and managing target scope definitions"],"not_for":["Publicly exposing the MCP server to untrusted networks without additional network controls","Using as a general-purpose HTTP client unrelated to Caido proxy history/replay workflows","Handling large response bodies or high-volume replay without considering the default 2KB body caps"],"best_when":"You have a Caido instance running locally (or on a trusted network), and you want an MCP client/AI agent to interact with captured traffic in a structured way with token-based auth.","avoid_when":"You need stable, high-throughput data transfer (default body limits) or you cannot control sensitive token storage/logging and network access to the local Caido instance.","alternatives":["caido-cli tooling (if available separately)","Direct Caido SDK/GraphQL integration (caido-community/sdk-go)","Other MCP integrations that provide proxying/browsing/replay without HTTP traffic capture/replay semantics"],"af_score":65.2,"security_score":58.5,"reliability_score":28.8,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:31:34.533705+00:00","interface":{"has_rest_api":false,"has_graphql":true,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["Go"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["OAuth device-flow via caido-mcp-server login","Uses shared auth token for both MCP server and CLI (stored at ~/.caido-mcp/token.json)"],"oauth":true,"scopes":false,"notes":"Authentication is handled via OAuth device-flow; token auto-refresh is mentioned. Scope granularity for tokens is not described in the README."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Project appears to be open-source tooling (MIT license). No pricing info is provided for the service itself."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":65.2,"security_score":58.5,"reliability_score":28.8,"mcp_server_quality":88.0,"documentation_accuracy":82.0,"error_message_quality":null,"error_message_notes":null,"auth_complexity":80.0,"rate_limit_clarity":10.0,"tls_enforcement":70.0,"auth_strength":75.0,"scope_granularity":35.0,"dependency_hygiene":45.0,"secret_handling":60.0,"security_notes":"The tool uses OAuth device-flow and stores a token locally (path stated). TLS is implied/used for replay with a default tls=true, but the documentation does not clearly specify HTTPS-only enforcement for the Caido_URL. The README mentions response/body caps and token auto-refresh; however, it does not discuss least-privilege scopes for tokens, secret redaction in logs, or supply-chain/security hygiene (e.g., dependency vulnerability policy/CVE reporting). Additionally, the MCP tools enable sending arbitrary raw HTTP requests, which increases risk if exposed to untrusted agents/networks.","uptime_documented":0.0,"version_stability":40.0,"breaking_changes_history":20.0,"error_recovery":55.0,"idempotency_support":"false","idempotency_notes":"Replay/send operations can likely be non-idempotent depending on the HTTP request; no idempotency guarantees are documented.","pagination_style":"Cursor-based pagination is described for several list tools (e.g., after).","retry_guidance_documented":false,"known_agent_gotchas":["Default response body cap of 2KB may truncate data; agents may need bodyOffset/bodyLimit or include parameters to avoid missing critical content.","Token refresh is said to occur mid-session, but troubleshooting indicates some refresh-token missing cases require re-login.","Replay polling may time out; README suggests calling get_replay_entry with returned entryId rather than repeated send immediately."]}}