{"id":"xpn-mythic-mcp","name":"mythic_mcp","homepage":null,"repo_url":"https://github.com/xpn/mythic_mcp","category":"devtools","subcategories":[],"tags":["mcp","mythic","pentesting","red-teaming","python","llm-integration"],"what_it_does":"Provides a proof-of-concept MCP server wrapper (Python) intended to integrate Mythic with an MCP client (e.g., Claude Desktop) to enable automated pentesting workflows.","use_cases":["Security team demos of LLM-assisted red teaming via an MCP client","Internal evaluation of Mythic automation triggered through MCP tools","Building/testing an MCP integration around Mythic"],"not_for":["Production deployment without significant hardening and operational safeguards","Public/unauthenticated exposure to untrusted users or networks","Compliance-sensitive environments without documented security posture"],"best_when":"Used in a controlled lab environment where the operator can tightly manage access to the Mythic backend and the MCP client host.","avoid_when":"Avoid when you cannot control where the MCP server will run, who can send commands, and how Mythic credentials/operations are secured.","alternatives":["Use Mythic directly with its native interface/automation (without an MCP layer)","Build a more robust MCP adapter with least-privilege auth and strong audit logging","Use other task-runner integrations that provide clearer contracts and safety controls (role-guarded actions)"],"af_score":25.0,"security_score":17.5,"reliability_score":25.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:51:56.412515+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Mythic backend connection using an admin username/password (as shown in the MCP client command args)"],"oauth":false,"scopes":false,"notes":"The README indicates passing Mythic admin credentials as command-line arguments to start the server. No evidence is provided of MCP-level auth, scoped permissions, or credential exchange best practices."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information provided."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":25.0,"security_score":17.5,"reliability_score":25.0,"mcp_server_quality":35.0,"documentation_accuracy":40.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":20.0,"rate_limit_clarity":0.0,"tls_enforcement":20.0,"auth_strength":15.0,"scope_granularity":10.0,"dependency_hygiene":45.0,"secret_handling":5.0,"security_notes":"The README suggests Mythic admin credentials are passed as command-line arguments to start the MCP server. This is commonly risky (may leak via shell history/process table). No documentation is provided about transport security (TLS), MCP auth, scope/permission controls, audit logging, or operational hardening. Dependency list includes external packages but no vulnerability posture or pinned versions are shown.","uptime_documented":0.0,"version_stability":40.0,"breaking_changes_history":40.0,"error_recovery":20.0,"idempotency_support":"false","idempotency_notes":"No guidance provided regarding idempotency; pentesting actions are typically non-idempotent.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["The MCP server appears to be a POC demo; tool schemas, safety constraints, and failure-mode behaviors are not documented here.","Mythic admin credentials are supplied via command args, which may expose secrets in process listings/logs.","No rate-limit or retry/backoff behavior is documented for the MCP tools or Mythic interactions."]}}