MCP Server

A Python MCP server based on the public ScanMalware.com API, providing functions such as malware scanning, phishing detection, and TLS certificate checking. It supports local running, Docker deployment, and DigitalOcean cloud server deployment.

Security Research and data #Malware scanning #Network security #MCP service #API encapsulation .Python

rating : 2 points

downloads : 5.6K

update time : 2026-03-13

Open Site

What is the ScanMalware MCP Server?

The ScanMalware MCP server serves as a bridge, exposing the capabilities of the professional malware and phishing website scanning service (ScanMalware.com) to AI assistants through the Model Context Protocol (MCP) standard. This means that when chatting with an AI like Claude, you can directly request it to analyze a suspicious link without leaving the chat interface. The server will handle all complex communications with the backend scanning API and return structured results to the AI, which will then summarize them for you in an easy - to - understand manner.

How to Use the ScanMalware MCP Server?

Using it requires two parts: 1) A running ScanMalware MCP server (you can run it locally on your computer or connect to our publicly deployed instance). 2) An AI client that supports the MCP protocol (such as Claude Desktop), and configure it to connect to the server. After configuration, you can naturally make analysis requests in the conversation, for example: "Please help me check if the link `https://suspicious - login.com` is safe." The AI will call the tools provided by the server to complete the scan and report to you.

Applicable Scenarios

This service is very suitable for scenarios that require a quick preliminary judgment of website security, such as: - **Email security analysis**: When receiving a link in a suspicious email, immediately let the AI assistant perform a scan. - **Brand protection monitoring**: Regularly search for phishing websites that imitate the company's official website or login page. - **Security operations assistance**: Provide a tool for security analysts to quickly query scan history and details. - **Personal security protection**: Conduct a security check before clicking on an unfamiliar link.

Main Features

Submit URL for Scanning

Submit a URL to ScanMalware.com for in - depth security scanning. You can specify the scanning depth (quick/deep) and choose whether to wait for the scan to complete before returning the results.

Get Scan Results and Status

Query the detailed results of a specific scan task through the scan ID, including the risk score, threat classification, detected indicators (such as suspicious JavaScript, malicious redirection), and the scan status (queued, in progress, completed).

Search Historical Scan Records

Search in the historical scan database using various filtering conditions (such as keywords, risk levels, time ranges, statuses) to facilitate threat hunting and trend analysis.

Download Scan Resources

Obtain rich resource files generated during the scan, such as: - **Website screenshots**: Visual snapshots of the page during the scan. - **TLS certificates**: Details of the website's SSL/TLS certificates (in PEM format). - **Page text**: Extracted text content of the web page. - **Technical metadata**: IP addresses, server header information, DNS records, etc.

TLS/SSL Certificate Check

Specifically obtain and analyze detailed information about the TLS/SSL certificates used by the website, including the issuer, validity period, and Subject Alternative Name (SAN), to help identify certificate fraud or configuration errors.

Flexible Deployment Modes

Support multiple running modes to meet different needs: - **Local running**: Quickly test using a Python virtual environment. - **Docker containerization**: Facilitate deployment and isolation in a server environment. - **Cloud deployment**: Provide complete scripts for one - click deployment to cloud platforms such as DigitalOcean.

Advantages

**Seamless AI integration**: Enable AI assistants to directly obtain professional security scanning capabilities, improving work efficiency.

**Comprehensive functions**: Cover the complete workflow from submitting scans, querying results to downloading evidence.

**Easy to deploy**: Provide detailed local and cloud deployment guides, support Docker, and reduce the operation and maintenance threshold.

**Standardized protocol**: Based on the MCP protocol, compatible with any client that supports the protocol, with good future scalability.

**Secure and controllable**: Support configuration of API tokens and access control, and can be deployed in an intranet environment.

Limitations

**Dependence on the backend API**: The depth and quality of the scanning function depend on the capabilities and quotas of the ScanMalware.com public API.

**Non - real - time interaction**: Deep scans may take a long time (tens of seconds to minutes), which is not suitable for scenarios that require second - level responses.

**Requires technical knowledge**: Initial server deployment and client configuration require certain command - line and system management knowledge.

**Some advanced functions are restricted**: Some advanced or experimental API endpoints of ScanMalware.com are not exposed in this MCP server.

How to Use

Start the MCP Server

First, you need to get the ScanMalware MCP server up and running. The simplest way is to run it locally using Python.

Configure the AI Client

Next, add this MCP server to the configuration file of your AI client (such as Claude Desktop). This usually involves editing a JSON configuration file.

Use in Conversation

After restarting the AI client, you can directly use the scanning function in the conversation. The AI now knows it has tools such as 'submit scan' and 'query results'.

(Optional) Deploy to the Cloud

If you want to share it with the team or run it long - term, you can deploy the server to a DigitalOcean cloud server according to the documentation and provide secure HTTP access through Nginx.

Usage Cases

Rapid Identification of Phishing Links

A user receives an email pretending to be from a technology company (such as 'TechCorp') asking to update account information. The user is suspicious of the link in the email.

Brand Abuse Monitoring Report

The security team of a company wants to check once a week if there are any new phishing websites imitating its brand (such as 'Acme') on the Internet.

In - depth Website Security Analysis

Developers or security researchers need to conduct in - depth analysis of a website marked as suspicious to obtain technical details as evidence or research materials.

Frequently Asked Questions

Do I need to pay to use the ScanMalware.com API?

How long does it take to scan a link?

Can I scan websites in the company's intranet?

How to ensure the security of my MCP server communication?

Why do some search tools tell me that I need to provide at least one filtering condition?

Related Resources

ScanMalware.com Official Website

Learn detailed information, function demonstrations, and API documentation of the backend scanning service.

Model Context Protocol (MCP) Official Site

Learn the standards, specifications, and working principles of the MCP protocol.

Project Source Code Repository

Obtain the latest source code of this MCP server, submit issues, and contribute code.

DigitalOcean Console

If you choose cloud deployment, you can manage your Droplet (cloud server), firewall, and network settings here.

Claude Desktop Download and Configuration

Download the Claude Desktop client that supports MCP and view the official guide for configuring the MCP server.

🚀 scanmalware-mcp

A minimal Python MCP server that wraps the public ScanMalware.com API.

🚀 Quick Start

🔍 Operations

Refer to docs/OPERATIONS.md for deployment, TLS, logging, and instructions on how to connect to the DigitalOcean droplet.

💻 Usage Examples

🏠 Run locally (Streamable HTTP)

python -m venv .venv
source .venv/bin/activate
pip install -U pip
pip install .

export MCP_TRANSPORT=streamable-http
export MCP_HOST=127.0.0.1
export MCP_PORT=8000

scanmalware-mcp

🐳 Run with Docker

docker build -t scanmalware-mcp .
docker run --rm -p 127.0.0.1:8000:8000 \
  -e MCP_TRANSPORT=streamable-http \
  -e MCP_HOST=0.0.0.0 \
  -e MCP_PORT=8000 \
  scanmalware-mcp

Optional: Set MCP_AUTH_TOKEN to require Authorization: Bearer <MCP_AUTH_TOKEN> for HTTP transports.

Optional auth env vars (only needed for auth - gated endpoints):

SCANMALWARE_BEARER_TOKEN

Other env vars:

SCANMALWARE_BASE_URL (default: https://scanmalware.com)
SCANMALWARE_ALLOW_HTTP (default: false)
SCANMALWARE_TIMEOUT_S (default: 30)
SCANMALWARE_MAX_DOWNLOAD_BYTES (default: 10485760)
SCANMALWARE_ALLOW_PRIVATE_TARGETS (default: false)
SCANMALWARE_CA_CERT (optional; path to a CA bundle for SSL bump)

MCP server security env vars:

MCP_AUTH_TOKEN (if set, HTTP transports require Authorization: Bearer <token>)
MCP_RESOURCE_SERVER_URL / MCP_ISSUER_URL (optional; only used when MCP_AUTH_TOKEN is set)

Tool note: submit_scan does not call /api/v1/csrf-token; there is no CSRF token tool. Tool note: Some upstream endpoints are disabled and excluded from the tool list (e.g., get_improvements, find_screenshot_duplicates, get_ai_stats, search_js_fingerprinter2_code_hash, search_js_segments_by_tlsh). Some search tools require at least one filter and will raise a validation error if none are provided.

📝 Example prompts

Phishing triage (submit → wait → summarize):

Submit a scan for https://example-login-update.com, wait for completion, and
return status, risk_score, and the top indicators. If high risk, include the
AI analysis and screenshot resource.

Brand abuse monitoring:

Search scans for "acme login" (limit 5). For each result, list scan_id,
status, risk_score, and URL. Highlight anything marked high risk.

TLS/certificate inspection:

For scan_id 1234...abcd, fetch TLS details and the certificate PEM download.
Summarize issuer, subject, validity dates, and SANs; flag mismatches.

🚢 Deploy to DigitalOcean (Debian + Docker + Nginx)

📋 Prereqs

doctl authenticated (doctl auth init)
SSH key uploaded to DigitalOcean (used by doctl compute droplet create)

🚀 Create a small droplet in Germany (Frankfurt)

DROPLET_NAME=scanmalware-mcp-small
REGION=fra1
SIZE=s-1vcpu-2gb
IMAGE=debian-12-x64
SSH_KEYS=$(doctl compute ssh-key list --format ID --no-header | paste -sd, -)

doctl compute droplet create "$DROPLET_NAME" \
  --region "$REGION" \
  --size "$SIZE" \
  --image "$IMAGE" \
  --ssh-keys "$SSH_KEYS" \
  --tag-name scanmalware-mcp \
  --wait

🔥 Firewall (public HTTP/HTTPS + SSH)

doctl compute firewall create \
  --name scanmalware-mcp-fw \
  --inbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0,address:::0/0" \
  --inbound-rules "protocol:tcp,ports:80,address:0.0.0.0/0,address:::0/0" \
  --inbound-rules "protocol:tcp,ports:443,address:0.0.0.0/0,address:::0/0" \
  --outbound-rules "protocol:icmp,ports:0,address:0.0.0.0/0,address:::0/0" \
  --outbound-rules "protocol:tcp,ports:0,address:0.0.0.0/0,address:::0/0" \
  --outbound-rules "protocol:udp,ports:0,address:0.0.0.0/0,address:::0/0" \
  --droplet-ids <droplet-id>

🐋 Install Docker + compose on the droplet

ssh -i /path/to/key root@<droplet-ip> \
  "apt-get update -y && apt-get install -y docker.io docker-compose"

📤 Upload and run

tar --exclude=.git --exclude=.venv --exclude=__pycache__ -czf /tmp/scanmalware-mcp.tar.gz -C . .
scp -i /path/to/key /tmp/scanmalware-mcp.tar.gz root@<droplet-ip>:/tmp/
ssh -i /path/to/key root@<droplet-ip> \
  "mkdir -p /opt/scanmalware-mcp && tar -xzf /tmp/scanmalware-mcp.tar.gz -C /opt/scanmalware-mcp"
ssh -i /path/to/key root@<droplet-ip> \
  "cd /opt/scanmalware-mcp && docker-compose -f deploy/docker-compose.yml up -d --build"

✅ Verify

curl -I https://mcp.scanmalware.com/
curl -I https://mcp.scanmalware.com/mcp

/ should return 200 from Nginx. /mcp returns 406 on GET without MCP Accept headers, which is expected.

🧪 Smoke test (MCP initialize + tools/list)

python - <<'PY'
import json
import httpx

URL = "http://<droplet-ip>/mcp"
HEADERS = {
    "accept": "application/json, text/event-stream",
    "content-type": "application/json",
}

init_payload = {
    "jsonrpc": "2.0",
    "id": 1,
    "method": "initialize",
    "params": {
        "protocolVersion": "2025-06-18",
        "capabilities": {},
        "clientInfo": {"name": "mcp-smoke-test", "version": "0.1.0"},
    },
}

with httpx.Client(timeout=10) as client:
    init_resp = client.post(URL, headers=HEADERS, json=init_payload)
    init_resp.raise_for_status()
    session_id = init_resp.headers.get("mcp-session-id")

    def extract_sse_data(text: str) -> dict:
        for line in text.splitlines():
            if line.startswith("data: "):
                return json.loads(line[len("data: "):])
        raise ValueError("No SSE data line found")

    init_message = extract_sse_data(init_resp.text)
    protocol_version = init_message["result"]["protocolVersion"]

    # Send initialized notification
    client.post(
        URL,
        headers={
            **HEADERS,
            "mcp-session-id": session_id,
            "mcp-protocol-version": protocol_version,
        },
        json={"jsonrpc": "2.0", "method": "notifications/initialized"},
    )

    tools_resp = client.post(
        URL,
        headers={
            **HEADERS,
            "mcp-session-id": session_id,
            "mcp-protocol-version": protocol_version,
        },
        json={"jsonrpc": "2.0", "id": 2, "method": "tools/list"},
    )
    tools_resp.raise_for_status()
    tools_message = extract_sse_data(tools_resp.text)
    tool_names = [tool["name"] for tool in tools_message["result"]["tools"]]

print("protocol_version:", protocol_version)
print("tool_count:", len(tool_names))
print("tools:", ", ".join(tool_names))
PY

🔄 Redeploy / new deploys

Two common flows:

In - place update (same droplet)

tar --exclude=.git --exclude=.venv --exclude=__pycache__ -czf /tmp/scanmalware-mcp.tar.gz -C . .
scp -i /path/to/key /tmp/scanmalware-mcp.tar.gz root@<droplet-ip>:/tmp/
ssh -i /path/to/key root@<droplet-ip> \
  "bash /opt/scanmalware-mcp/deploy/redeploy.sh /tmp/scanmalware-mcp.tar.gz"

The redeploy script stops containers before swapping files to avoid bind - mount inode issues. If the script is not on the droplet yet, run the legacy tar + docker - compose command once to install it.

Optional one - shot helper from the repo root:

./deploy/push-redeploy.sh root@<droplet-ip> /path/to/key

Rolling deploy (new droplet)

Create a new droplet (steps above)
Deploy the same bundle
Switch DNS to the new IP
Destroy the old droplet when ready

doctl compute droplet delete <old-droplet-id> --force

Notion Api MCP

Certified

A Python-based MCP Server that provides advanced to-do list management and content organization functions through the Notion API, enabling seamless integration between AI models and Notion.

The GitLab MCP server is a project based on the Model Context Protocol that provides a comprehensive toolset for interacting with GitLab accounts, including code review, merge request management, CI/CD configuration, and other functions.

TypeScript

24.7K

4.3 points

Duckduckgo MCP Server

Certified

The DuckDuckGo Search MCP Server provides web search and content scraping services for LLMs such as Claude.

Markdownify is a multi-functional file conversion service that supports converting multiple formats such as PDFs, images, audio, and web page content into Markdown format.

UnityMCP is a Unity editor plugin that implements the Model Context Protocol (MCP), providing seamless integration between Unity and AI assistants, including real - time state monitoring, remote command execution, and log functions.

32.5K

5 points

Figma Context MCP

Framelink Figma MCP Server is a server that provides access to Figma design data for AI programming tools (such as Cursor). By simplifying the Figma API response, it helps AI more accurately achieve one - click conversion from design to code.

A Gmail automatic authentication MCP server designed for Claude Desktop, supporting Gmail management through natural language interaction, including complete functions such as sending emails, label management, and batch operations.

Context7 MCP is a service that provides real-time, version-specific documentation and code examples for AI programming assistants. It is directly integrated into prompts through the Model Context Protocol to solve the problem of LLMs using outdated information.

TypeScript

97.5K

4.7 points

Zhiqi Future, Your AI Solution Think Tank

English 简体中文繁體中文にほんご

MCP Server

Overview

Content Details

Alternatives

What is the ScanMalware MCP Server?

How to Use the ScanMalware MCP Server?

Applicable Scenarios

Main Features

How to Use

Usage Cases

Frequently Asked Questions

Related Resources

Installation

🚀 scanmalware-mcp

🚀 Quick Start

🔍 Operations

💻 Usage Examples

🏠 Run locally (Streamable HTTP)

🐳 Run with Docker

📝 Example prompts

🚢 Deploy to DigitalOcean (Debian + Docker + Nginx)

📋 Prereqs

🚀 Create a small droplet in Germany (Frankfurt)

🔥 Firewall (public HTTP/HTTPS + SSH)

🐋 Install Docker + compose on the droplet

📤 Upload and run

✅ Verify

🧪 Smoke test (MCP initialize + tools/list)

🔄 Redeploy / new deploys

Alternatives