REMnux MCP Server

Execute malware analysis tools on a REMnux system via AI assistants

ai-tools 54malware-analysisremnuxsecuritycybersecurity
README.md

remnux-mcp-server

MCP server for using the REMnux malware analysis toolkit via AI assistants.

Overview

This server enables AI assistants (Claude Code, OpenCode, Cursor, etc.) to execute malware analysis tools on a REMnux system. It supports three deployment scenarios:

  1. AI tool on your machine, REMnux as Docker/VM — MCP server runs on your machine, reaches into REMnux over Docker exec or SSH
  2. AI tool and MCP server both on REMnux — everything runs locally on the same REMnux system (simplest setup)
  3. AI tool on your machine, MCP server on REMnux — MCP server runs inside REMnux, your AI tool connects over HTTP

Beyond raw command execution, the server encodes malware analysis domain expertise:

  • Recommends the right tools for each file type (suggest_tools) and retrieves usage flags for any installed tool (get_tool_help)
  • Runs appropriate tool chains automatically (analyze_file) with structured output and IOC extraction
  • Uses neutral language to counteract confirmation bias in AI-generated verdicts

For additional tool documentation, you can optionally enable the REMnux docs MCP server.

Architecture

Three deployment scenarios are supported depending on where the MCP server and AI assistant run.

Scenario 1: Server on Analyst's Machine

The MCP server runs on the analyst's workstation and connects to a separate REMnux system over Docker exec or SSH.

+--------------------------------------------------------------------+
|  Analyst's Machine                                                 |
|                                                                    |
|  +----------------+     +--------------------------------------+   |
|  |  AI Assistant  |---->|  remnux-mcp-server (npm package)     |   |
|  | (Claude Code,  | MCP |                                      |   |
|  |  Cursor, etc)  |     |  - Blocked command patterns          |   |
|  +----------------+     |  - Dangerous pipe blocking           |   |
|                         |  - Path sandboxing (opt-in)          |   |
|                         +------|-------------------------------+   |
|                                |                                   |
|                    +-----------+----------+                        |
|                    v                      v                        |
|            +--------------+      +--------------+                  |
|            | Docker Exec  |      |     SSH      |                  |
|            | (container)  |      |    (VM)      |                  |
|            +------+-------+      +------+-------+                  |
|                   |                     |                           |
+-------------------|---------------------|---------------------------+
                    v                     v
             +-----------+        +-----------+
             |  REMnux   |        |  REMnux   |
             | Container |        |    VM     |
             +-----------+        +-----------+

Scenario 2: Everything on REMnux

The AI assistant and MCP server both run on the REMnux system. The server uses the Local connector with stdio transport — no network, no Docker exec, no SSH. This is the simplest setup.

+-------------------------------+
|  REMnux (VM or bare metal)    |
|                               |
|  +----------------+           |
|  |  AI Assistant  |           |
|  | (Claude Code,  |   stdio   |
|  |  OpenCode)     +--------+  |
|  +----------------+        |  |
|                            v  |
|  +-------------------------+  |
|  | remnux-mcp-server       |  |
|  |  --mode=local (default) |  |
|  |                         |  |
|  |  - Local connector      |  |
|  |  - Security layers      |  |
|  +-------------------------+  |
|                               |
|  REMnux tools (native)        |
+-------------------------------+

Scenario 3: Server Inside REMnux

The MCP server runs inside the REMnux VM or container using the Local connector. The AI assistant connects over the network via Streamable HTTP transport. This is the deployment scenario used by REMnux salt-states.

+----------------+   Streamable HTTP   +------------------------------+
|  AI Assistant  |----(network)------->|  REMnux (VM/Container)       |
| (Claude Code,  |                     |                              |
|  Cursor, etc)  |                     |  +------------------------+  |
+----------------+                     |  | remnux-mcp-server      |  |
                                       |  |  --mode=local          |  |
                                       |  |  --transport=http      |  |
                                       |  |                        |  |
                                       |  |  - Local connector     |  |
                                       |  |  - Security layers     |  |
                                       |  +------------------------+  |

Tools 3

suggest_toolsRecommends the right tools for a specific file type.
get_tool_helpRetrieves usage flags and documentation for any installed tool.
analyze_fileRuns appropriate tool chains automatically on a file with structured output and IOC extraction.

Try it

Suggest the best tools to analyze this suspicious executable file: /home/remnux/samples/malware.exe
Run an automated analysis on the file at /home/remnux/samples/suspicious.pdf and extract any IOCs found.
Show me the help documentation and usage flags for the 'strings' tool.
Analyze the file /home/remnux/samples/payload.elf and provide a structured report.

Frequently Asked Questions

What are the key features of REMnux MCP Server?

Supports multiple deployment scenarios including Docker, SSH, and local execution. Provides automated file-type analysis and tool recommendations. Executes tool chains automatically with structured output and IOC extraction. Includes security guardrails like blocked command patterns and path sandboxing. Retrieves usage flags and documentation for installed malware analysis tools.

What can I use REMnux MCP Server for?

Automating the initial triage of suspicious files during malware investigation. Standardizing malware analysis workflows across different analyst workstations. Enabling AI-assisted exploration of the REMnux toolkit for security researchers. Extracting Indicators of Compromise (IOCs) from files in a sandboxed environment.

How do I install REMnux MCP Server?

Install REMnux MCP Server by running: npx -y @remnux/mcp-server

What MCP clients work with REMnux MCP Server?

REMnux MCP Server works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep REMnux MCP Server docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Open Conare

Related MCP Servers

Skill Seekers
The data layer for AI systems.
ai-tools11.1K stars
Context Mode
The other half of the context problem.
ai-tools5.6K stars
Semiotic
A React data visualization library designed for AI-assisted development.
ai-tools2.6K stars
RocketRide
Self-hosted, open-source AI pipeline platform for MCP tools
ai-tools1.6K stars
Context+
Semantic Intelligence for Large-Scale Engineering.
ai-tools1.5K stars
ShipSwift
AI-native SwiftUI component library — production-ready code for LLMs
ai-tools1.3K stars