{"id":"six2dez-burp-mcp-agents","name":"burp-mcp-agents","homepage":null,"repo_url":"https://github.com/six2dez/burp-mcp-agents","category":"security","subcategories":[],"tags":["security","pentest","burp-suite","mcp","llm","proxy","prompts","privacy-local"],"what_it_does":"Provides guides and helper scripts to connect a Burp Suite MCP Server to different AI backends (Codex CLI, Gemini CLI, Ollama, LM Studio), including a recommended Caddy reverse proxy setup for MCP over SSE and reusable prompt templates for analyzing real (passively observed) Burp traffic.","use_cases":["Assistive analysis of real Burp Suite traffic using LLM reasoning","Passive identification of potential vulnerabilities and logic/auth issues from observed requests","Generating evidence-based reports based on Burp traffic and LLM prompts","Local-first workflows for privacy using Ollama/LM Studio"],"not_for":["Automated active scanning, fuzzing, or blind scanning","Production-grade, fully managed security testing with strict compliance guarantees","Teams needing a single turnkey, unified API/SDK across backends"],"best_when":"You want to review real Burp traffic with LLM assistance (passive workflows) and are comfortable configuring local proxies/backends.","avoid_when":"You require a standardized programmatic interface (beyond MCP) with strong, explicit security controls and rigorous operational documentation.","alternatives":["Use Burp Suite MCP Server directly with a single chosen MCP-compatible client/tooling layer","General-purpose LLM-assisted code/traffic analysis tools that integrate with Burp via plugins or exports","Custom integration using a Caddy reverse proxy + your own MCP client"],"af_score":40.0,"security_score":36.0,"reliability_score":21.2,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:37:32.315506+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Backend-specific authentication (e.g., for cloud CLIs such as Codex/Gemini) configured per backend"],"oauth":false,"scopes":false,"notes":"The README describes connecting a Burp MCP Server extension and configuring proxies/backends, but does not document MCP authentication modes, API keys, scopes, or how credentials are handled at the MCP layer."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Costs depend on selected AI backend (cloud CLIs vs local models). The repo itself is MIT-licensed, but the README does not specify pricing or free-tier details for the associated services."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":40.0,"security_score":36.0,"reliability_score":21.2,"mcp_server_quality":55.0,"documentation_accuracy":50.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":45.0,"rate_limit_clarity":20.0,"tls_enforcement":50.0,"auth_strength":35.0,"scope_granularity":20.0,"dependency_hygiene":35.0,"secret_handling":40.0,"security_notes":"The README emphasizes 'safety-first workflows' and passive analysis, but does not specify authentication/authorization controls for the MCP layer, nor does it document how secrets are stored or protected. If cloud backends are used, request/response content may be sent to third parties; local backends reduce that exposure. TLS/encryption requirements at the proxy layer are not explicitly documented in the provided text.","uptime_documented":0.0,"version_stability":35.0,"breaking_changes_history":30.0,"error_recovery":20.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Setup complexity varies significantly by backend (cloud vs local) and may require correct CLI/proxy configuration","No evidence in the provided README of retry/idempotency guidance for MCP calls","Caddy proxy/SSE configuration is part of the workflow; misconfiguration can break streaming/transport"]}}