{"id":"copyleftdev-mcp-subfinder-server","name":"mcp_subfinder_server","homepage":null,"repo_url":"https://github.com/copyleftdev/mcp_subfinder_server","category":"search","subcategories":[],"tags":["mcp","json-rpc","subdomain-enumeration","osint","projectdiscovery","go"],"what_it_does":"Provides a Model Context Protocol (MCP) server that wraps ProjectDiscovery's subfinder to enumerate subdomains for a given domain via a JSON-RPC interface, including options for recursion, depth, timeouts, and source filtering/exclusion. Includes a /health endpoint for liveness.","use_cases":["Automating passive subdomain enumeration workflows via an MCP-compatible client/agent","Recursive subdomain discovery with depth and timeout controls","Selective enable/disable of subfinder sources for targeted recon","Integrating subdomain enumeration into internal tooling using JSON-RPC calls"],"not_for":["Production-grade authenticated APIs without additional deployment security","Environments requiring strict legal/compliance controls over OSINT source usage (not addressed in the docs)","Use cases needing a stable, externally hosted SaaS API with published SLAs"],"best_when":"You need an on-prem or self-hosted MCP server that can be called by an agent to run subfinder with configurable parameters.","avoid_when":"You cannot control network exposure or request sizes, or you require documented idempotency/retry semantics and strict operational guarantees.","alternatives":["Run subfinder directly (CLI) and integrate with your own wrapper/service","Other recon/enumeration APIs or OSS wrappers that expose REST endpoints for subdomain discovery","MCP servers/wrappers for related ProjectDiscovery tools (where available)"],"af_score":58.8,"security_score":21.5,"reliability_score":18.8,"package_type":"mcp_server","discovery_source":["github"],"priority":"low","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T19:52:02.571767+00:00","interface":{"has_rest_api":true,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://localhost:8080/mcp","has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":[],"oauth":false,"scopes":false,"notes":"No authentication is described for the JSON-RPC endpoint or /health. The docs indicate local usage (localhost) by curl."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Self-hosted open-source project (MIT). Cost is deployment/compute and any costs from configured subfinder sources/providers."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":58.8,"security_score":21.5,"reliability_score":18.8,"mcp_server_quality":70.0,"documentation_accuracy":75.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":95.0,"rate_limit_clarity":0.0,"tls_enforcement":30.0,"auth_strength":10.0,"scope_granularity":0.0,"dependency_hygiene":40.0,"secret_handling":35.0,"security_notes":"No authentication/authorization is documented for the MCP JSON-RPC endpoint; /health is unauthenticated per examples. Docs mention adding API keys to provider-config.yaml for premium sources, but do not describe secret handling practices (e.g., redaction/logging behavior). TLS is not mentioned; examples use http://localhost.","uptime_documented":0.0,"version_stability":45.0,"breaking_changes_history":0.0,"error_recovery":30.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Subdomain enumeration can be resource-intensive and may take longer than typical agent timeouts; ensure agent-side timeouts align with the server/tool timeout parameters.","No auth is documented; agents should not expose the server publicly without adding network/auth controls.","Recursive enumeration and high timeouts/depth can amplify work and result size; constrain parameters for safer agent runs."]}}