A community-driven registry for the Claude Code ecosystem. Not affiliated with Anthropic.
Are you the author? Sign in to claim
MISP (Malware Information Sharing Platform) MCP server with built-in prompt injection defense via prompt-defense-audit
A Model Context Protocol server for MISP (Malware Information Sharing Platform), with built-in prompt injection defense powered by prompt-defense-audit.
Why this exists: MISP holds operational threat intel — IOCs, threat actor profiles, attack patterns. When you connect an LLM agent to MISP via MCP, two new attack surfaces emerge:
- Adversarial seeding. A threat actor who can submit content into your MISP instance (or a federated feed) can plant prompt-injection payloads designed to hijack downstream LLM agents.
- Sensitive intel leakage. A manipulated LLM can be coerced into returning intel above its authorized TLP level.
This server wraps every outgoing MISP response in
prompt-defense-audit's output scanner, blocking high-risk patterns before they reach the LLM. Read-only by design — no write tools exposed.
Tracks: MISP/MISP#10745 — MCP server for MISP
MISP_URL and MISP_API_KEYnpm install -g @ultralab/misp-mcp-server
Or use npx directly in your MCP client config (no install needed).
Claude Desktop (~/Library/Application Support/Claude/claude_desktop_config.json on macOS, %APPDATA%/Claude/claude_desktop_config.json on Windows):
{
"mcpServers": {
"misp": {
"command": "npx",
"args": ["-y", "@ultralab/misp-mcp-server"],
"env": {
"MISP_URL": "https://misp.your-org.example",
"MISP_API_KEY": "your_misp_api_key_here"
}
}
}
}
Cursor / Continue / Cline — similar pattern, see your client's MCP config docs.
"What MISP events are tagged tlp:white from the last 7 days?"
"Show me event 12345 — I'm investigating a phishing report."
"What threat actor galaxies do we have configured?"
"Find all attributes matching the IP 198.51.100.42."
| Tool | Purpose |
|---|---|
misp_version | Health check + server version |
misp_list_events | Paginated event headers |
misp_get_event | Full event with attributes (scanned for injection) |
misp_search_events | Search by tag / type / value / date range |
misp_search_attributes | Direct IOC lookup |
misp_list_tags | All configured tags (TLP, taxonomy, etc.) |
misp_list_feeds | Configured threat-intel feeds |
misp_list_galaxies | Threat actor / campaign clusters |
Mutation tools intentionally not included. An LLM with write access to MISP is a supply-chain compromise vector. If you need agent-driven MISP mutations, build a per-tool allowlist with human-in-the-loop confirmation.
Every tool response is run through prompt-defense-audit's scanOutput before being returned to the LLM client.
High-risk patterns (critical / high severity) — response is blocked and replaced with a safe summary. Example trigger patterns:
<script>...</script>)javascript:)prompt-defense-audit's 17+ vector libraryLow/medium-risk patterns — response annotated with a [defense] prefix listing matched patterns but still returned.
PROMPT_DEFENSE_DISABLED=true
Use only if you fully trust your MISP instance + all federated feeds and need raw response fidelity for a specific debugging scenario.
| Variable | Required | Default | Notes |
|---|---|---|---|
MISP_URL | ✅ | — | Base URL of your MISP instance (e.g. https://misp.example.com) |
MISP_API_KEY | ✅ | — | MISP automation API key (Profile → Auth Keys) |
MISP_INSECURE_TLS | ❌ | false | Set to true only for self-signed dev instances |
PROMPT_DEFENSE_DISABLED | ❌ | false | Set true to skip output scanning (NOT recommended) |
The free OSS defense layer ships with prompt-defense-audit (17+ regex-based vectors, ~3ms latency, deterministic).
For deployments that need:
→ Upgrade path: route MCP server through Quartz Cloud — Taiwan-domiciled runtime AI firewall, drop-in passthrough.
git clone https://github.com/ppcvote/misp-mcp-server.git
cd misp-mcp-server
npm install
npm test # smoke tests, no live MISP
npm run dev # tsx watch mode
npm run build # produce dist/
LLM client (Claude Desktop, Cursor, etc.)
│ stdio
▼
@ultralab/misp-mcp-server
│
├─ src/tools.ts — 8 read-only tool definitions + dispatch
├─ src/misp-client.ts — minimal MISP REST API wrapper
└─ src/index.ts — MCP Server + scanOutput() defense layer
│
▼
MISP REST API (/events, /attributes, /tags, /feeds, /galaxies)
Built by Ultra Lab — a one-person AI products company in Taiwan, focused on AI safety, threat intel, and the supply chain between LLM agents and operational security tooling.
This server is part of a broader thesis: the MCP ecosystem will be a major prompt-injection vector unless servers default to defensive output handling. We're shipping reference implementations for high-leverage targets (MISP first, OpenCTI / TheHive / Vault next) to anchor the standard.
Companion projects:
prompt-defense-audit — the underlying detection engineultraprobe — CLI scanner for AI app system promptsquartz.tw — paid runtime firewall (audit logs, team policies, jurisdictional moat)MIT © 2026 Ultra Lab — see LICENSE.
PRs welcome. Please:
For discussion, see MISP/MISP#10745.
Run Claude Code as an MCP server so any agent can delegate coding tasks to it
Browser automation using accessibility snapshots instead of screenshots
English-first Korean equity intelligence MCP — DART filings, foreign-holder 5%-rule flows, activist filings, KRX news. F
Unity MCP acts as a bridge between AI assistants and your Unity Editor. Give your LLM tools to manage assets, control sc
0
via CLI
