{"id":"go-appsec-toolbox","name":"toolbox","af_score":62.8,"security_score":41.0,"reliability_score":23.8,"what_it_does":"toolbox/sectool is a CLI + MCP server that enables collaborative application security testing between a human operator and an AI agent. It provides a wire-fidelity HTTP(S) MITM proxy (native, and optional Burp as a front-end), captures and replays authenticated browser/proxy traffic, supports crawling/diffing/reflection detection and out-of-band interaction testing (OAST via Interactsh), and exposes these capabilities as MCP tools (plus CLI commands sharing state).","best_when":"You need agent-assisted, authenticated, stateful web app testing where a human can drive the browser/UI and the agent can analyze and mutate the resulting traffic via MCP.","avoid_when":"You cannot install/use a MITM CA cert or otherwise cannot inspect/modify traffic (corporate policy, strict client constraints), or when you require formal SLAs and SaaS-style operational guarantees.","last_evaluated":"2026-03-30T15:37:23.965001+00:00","has_mcp":true,"has_api":false,"auth_methods":["None described for local MCP/CLI access (implied local usage)","Optional browser/proxy authentication to the target app handled by the user"],"has_free_tier":false,"known_gotchas":["Requires a working MITM setup (proxy configuration + CA installation for HTTPS interception) or Burp MCP availability.","The tool is not a scanner; agent success depends on the human providing appropriate authentication/UI state and selecting appropriate workflow mode.","Workflows can exclude crawling tools in test-report mode; agents need to respect workflow instructions.","OAST requires external callback infrastructure (Interactsh) and waiting/polling for events.","Proxy fidelity (HTTP/1.1, HTTP/2, WebSocket) may introduce complexity for certain edge cases; agent should handle protocol-specific artifacts carefully."],"error_quality":0.0}