{"id":"noaslr-htb-mcp-server","name":"htb-mcp-server","homepage":null,"repo_url":"https://github.com/noaslr/htb-mcp-server","category":"devtools","subcategories":[],"tags":["mcp","hackthebox","ctf","tooling","stdio","go","jwt","api-integration"],"what_it_does":"Provides an MCP (Model Context Protocol) server over stdio that exposes tools for interacting with the HackTheBox Labs API v4, including challenge/machine listing and management, flag submission, user profile/progress retrieval, and a server status health check.","use_cases":["Use an AI assistant to list HackTheBox challenges and machines with filtering/pagination","Start HackTheBox machines and retrieve connection details/IPs for follow-on automation","Submit user/root flags for verification workflows","Fetch user profile and progress stats to guide learning","Search across HackTheBox content (challenges/machines/users)","Run an automated health check for the MCP/HTB integration"],"not_for":["Direct browser-based access to HackTheBox (no native UI)","Highly sensitive operations without careful token handling/logging controls","Use cases requiring a public REST/GraphQL endpoint for remote clients (this is primarily MCP/stdio)"],"best_when":"You want a local/agent-run MCP tool that standardizes HackTheBox API actions for LLM/agent workflows.","avoid_when":"You need externally hosted HTTP APIs/webhooks, fine-grained per-user audit trails, or you cannot safely provide and protect the HTB token in the environment where the MCP process runs.","alternatives":["Use the official/standard HackTheBox API directly from your own code","Build an MCP server using an existing HackTheBox API client library (if available)","Use a different CTF/HTB integration service (if you require hosted endpoints)"],"af_score":69.2,"security_score":68.8,"reliability_score":37.5,"package_type":"mcp_server","discovery_source":["github"],"priority":"low","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T19:45:44.385501+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":["Go"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Bearer token (JWT format) via HTB_TOKEN environment variable"],"oauth":false,"scopes":false,"notes":"Uses an HTB API token as Bearer auth to https://labs.hackthebox.com/api/v4. No OAuth flow described; scope/granularity details are not provided in the README."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Pricing is not described for this package; costs would depend on HackTheBox account/API usage and your own hosting."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":69.2,"security_score":68.8,"reliability_score":37.5,"mcp_server_quality":80.0,"documentation_accuracy":70.0,"error_message_quality":null,"error_message_notes":"README claims sensitive information is not exposed in error messages, but does not show concrete JSON-RPC/MCP error examples or specific error codes/structures.","auth_complexity":85.0,"rate_limit_clarity":65.0,"tls_enforcement":95.0,"auth_strength":80.0,"scope_granularity":40.0,"dependency_hygiene":45.0,"secret_handling":75.0,"security_notes":"Token is supplied via environment variable (good); README advises not committing tokens and claims sensitive info is not exposed in error messages. However, there is no explicit discussion of TLS enforcement in code/docs (implied by HTTPS base URL), no described fine-grained scopes, and no dependency/security audit information is provided.","uptime_documented":10.0,"version_stability":45.0,"breaking_changes_history":40.0,"error_recovery":55.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"page-based via tool-described pagination/filtering (details not specified)","retry_guidance_documented":true,"known_agent_gotchas":["Flag submission and challenge/machine start actions may be non-idempotent; repeated calls could cause unintended state changes","Rate limiting exists and may require the agent to throttle; README suggests reducing request frequency/increasing RATE_LIMIT_PER_MINUTE but does not specify header-based backoff logic","Pagination/filtering arguments are described only at a high level; exact schemas/arg names are not included in the README excerpt","Health check mentions a curl to /health on localhost:3000, but the MCP server description indicates stdio transport; this discrepancy may confuse operators integrating MCP clients"]}}