ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

burp-mcp

v0.1.0

Connect to a local Burp Suite MCP Server over SSE and list or call Burp tools from the workspace. Use when Burp Suite is running with the PortSwigger MCP ext...

0· 32·0 current·0 all-time
byHuỳnh Ngọc Quang@nquangit

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for nquangit/burp-mcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "burp-mcp" (nquangit/burp-mcp) from ClawHub.
Skill page: https://clawhub.ai/nquangit/burp-mcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install burp-mcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install burp-mcp
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and instructions: the package contains a Python CLI that uses the Python 'mcp' SDK to talk to a local Burp MCP SSE endpoint. Required binary (python) and optional config.json are appropriate for the stated purpose.
Instruction Scope
SKILL.md and the script limit actions to connecting to a local SSE endpoint (default http://127.0.0.1:9876/), listing tools, and calling tools. The agent is instructed to run the included script; there are no instructions to read unrelated system files or environment variables, nor to transmit data to external endpoints.
Install Mechanism
The skill is instruction-only (no repository-level install step), but SKILL.md metadata and README mention installing the Python 'mcp' package via pip. Installing a third-party PyPI package is a normal dependency step for this functionality, but the user should verify the 'mcp' package's provenance before installing.
Credentials
No environment variables or credentials are requested. The script reads a local config.json inside the skill directory for an SSE URL (optional) — this is proportional to the goal and limited in scope.
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and does not request persistent system-wide privileges. It runs as an on-demand CLI helper and prints JSON to stdout.
Assessment
This skill appears to do exactly what it says: connect to a local Burp MCP SSE server and list/call tools. Before installing or running it, ensure: (1) Burp Suite with the MCP extension is actually running on localhost as expected, (2) you are comfortable installing the Python 'mcp' package from PyPI — verify its origin and contents, and (3) avoid invoking any Burp tools that mutate state unless you understand their effects (the README and SKILL.md list several mutation-capable tools). The script only reads an optional config.json inside the skill folder and communicates with localhost; there are no requests for external credentials or unexpected network destinations.
!
config.json:2
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

OSWindows · Linux · macOS
Binspython
latestvk977aa21bztn7w9stfj94jmdj185nw8k
32downloads
0stars
1versions
Updated 16h ago
v0.1.0
MIT-0
Windows, Linux, macOS
Huỳnh Ngọc Quang@nquangit
latest
Download

Burp MCP

Use this skill to talk to a local Burp Suite MCP Server exposed by the PortSwigger extension.

When to use

  • Burp Suite is already running locally
  • The MCP extension is loaded and enabled
  • You want to inspect available Burp tools
  • You want to call a specific Burp MCP tool from the terminal or from OpenClaw via exec

Endpoint

Default endpoint used by this skill:

http://127.0.0.1:9876/

Important: on this machine, the live SSE endpoint is /, not /sse.

Commands

List Burp tools:

python ./skills/burp-mcp/scripts/burp_mcp.py list-tools

Call a Burp tool:

python ./skills/burp-mcp/scripts/burp_mcp.py call <tool_name> '<json_args>'

Examples:

python ./skills/burp-mcp/scripts/burp_mcp.py list-tools
python ./skills/burp-mcp/scripts/burp_mcp.py call get_proxy_http_history '{"offset":0,"count":5}'
python ./skills/burp-mcp/scripts/burp_mcp.py call get_proxy_http_history_regex '{"offset":0,"count":10,"regex":"login|token|auth"}'
python ./skills/burp-mcp/scripts/burp_mcp.py call output_project_options '{}'

How agents should use it

1) Always start with list-tools

Burp MCP tool names and schemas can change with extension version. Before calling tools in a new setup, list tools first:

python ./skills/burp-mcp/scripts/burp_mcp.py list-tools

This returns JSON entries with:

  • name
  • description
  • inputSchema

2) Match args to inputSchema

When calling a tool, build the JSON object to match the tool's required schema exactly.

Example:

  • get_proxy_http_history requires:
    • offset (integer)
    • count (integer)

So call it like:

python ./skills/burp-mcp/scripts/burp_mcp.py call get_proxy_http_history '{"offset":0,"count":20}'

3) Prefer safe read-only tools first

Safe first calls:

  • get_proxy_http_history
  • get_proxy_http_history_regex
  • get_proxy_websocket_history
  • get_scanner_issues
  • output_project_options
  • output_user_options

Be careful with mutation tools such as:

  • set_project_options
  • set_user_options
  • set_proxy_intercept_state
  • set_task_execution_engine_state
  • set_active_editor_contents

Output behavior

  • list-tools prints JSON array of tools
  • call prints JSON object:
    • isError
    • content

Burp often returns tool results as text blocks. Some tools return newline-separated JSON strings inside content[].text, so callers may need a second parse step if they want structured output.

Troubleshooting

  • If connection fails, verify Burp is open and the MCP extension is enabled
  • If /sse fails, use / instead
  • If tool calls return schema errors, re-run list-tools and check inputSchema
  • If nothing returns, test manually with:
curl http://127.0.0.1:9876 -v

A healthy server should return text/event-stream

Notes

  • Uses the official Python mcp SDK
  • Requires asyncio
  • Assumes the mcp package is already installed in the active Python environment

Comments

Loading comments...