MCP server: "dangerous" actions & new tools#21654
Open
cdelafuente-r7 wants to merge 2 commits into
Open
Conversation
Adds a job_listener: kwarg to run_simple / check_simple for exploit, auxiliary, post and evasion modules, exposes Msf::Module#run_uuid, and threads the resulting UUID through Msf::ExploitDriver and Msf::EvasionDriver so RunAsJob paths return [uuid, job_id] uniformly. Fix RPC module.check NotImplementedError handling and JSON-RPC regression Fix RPC session.interactive_read/write for non-meterpreter sessions
— Add 8 new MCP tools + input validator + client wrappers — Add dangerous_actions gate — Fix DB info tools required-field metadata — Update wiki documentation — Add integration test script — MCP plugin (plugins/mcp.rb) updates + specs
This was referenced Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This adds two related features to the MCP server:
The eight new tools
msf_module_executemodule.executeread_only_hint: false, destructive_hint: true, idempotent_hint: falsemsf_module_checkmodule.checkread_only_hint: false, destructive_hint: true, idempotent_hint: falsemsf_module_resultsmodule.resultsread_only_hint: true, destructive_hint: false, idempotent_hint: truemsf_running_statsmodule.running_statsread_only_hint: true, destructive_hint: false, idempotent_hint: truemsf_session_listsession.listread_only_hint: true, destructive_hint: false, idempotent_hint: truemsf_session_stopsession.stopread_only_hint: false, destructive_hint: true, idempotent_hint: falsemsf_session_readsession.interactive_readread_only_hint: true, destructive_hint: false, idempotent_hint: truemsf_session_writesession.interactive_writeread_only_hint: false, destructive_hint: true, idempotent_hint: falseDangerous-mode gate
Dangerous tools fail closed. The gate is opened by any one of:
--enable-dangerous-actionson themsfmcpdCLI.MSF_MCP_DANGEROUS_ACTIONS=true(or1,yes,on) in the environment.mcp.dangerous_actions: trueinconfig/mcp_config.yaml(or the JSON-RPC variant).Related Issue:
This resolves #21270.
IMPORTANT
This PR must be landed prior this one.
Breaking Changes
None
Reviewer Notes
This comes from this PR. I have extracted the MCP server changes here, as requested. The RPC/Framework-related code is in a separate PR.
Please only review the second commit (Add new MCP tools). The first one is handled by the other PR.
Verification Steps
Follow the steps in the documentation to setup and start the RPC and MCP servers.
The verification can be done manually using the MCP Inspector and test the MCP tools individually:
Or you can use your favorite LLM to test live. (see the documentation)
I also included an integration test script that simulates a MCP client and performs standard operations with the MCP tools. The script can be found here:
tools/dev/msfmcp_integration_test.rbAI Usage Disclosure
AI was used to help designing and implementing these changes (Copilot).
Pre-Submission Checklist
documentation/modules(new modules only)lib/changes)Hardware and Complex Software Module Guidance
If your module targets specialized hardware (routers, IoT, PLCs, etc.) or complex software (licensed, multi-service, or multi-version), provide a pcap, screen recording, or video showing successful execution.
Email sanitized pcaps/recordings to msfdev@metasploit.com — remove real IPs, credentials, and hostnames before sending. If hardware/software is unavailable, explain in the PR description.
Responsiveness and PR Takeover Policy
We want every contribution to make it into the project. If approximately 2 weeks pass after a review request without a comment or code update from you, the team may take over the PR and complete the work on your behalf.
If this happens, you will remain credited as a co-author on the final commit — your contribution is always recognized.
This policy exists to keep the project moving forward. It is not a reflection on the quality of your work or your involvement. Life happens, and we would rather finish the work together than let a good contribution go stale.