Add it to Claude Code
claude mcp add remnux-mcp-server -- npx -y @remnux/mcp-serverMake your agent remember this setup
remnux-mcp-server's config, env vars, and the gotchas you hit — recalled in every future Claude Code, Cursor, and Codex session.
npx conare@latestFree · one command · indexes the sessions already on disk. Set up in the browser instead →
What it does
- Supports multiple deployment scenarios including Docker, SSH, and local execution
- Provides automated file-type analysis and tool recommendations
- Executes tool chains automatically with structured output and IOC extraction
- Includes security guardrails like blocked command patterns and path sandboxing
- Retrieves usage flags and documentation for installed malware analysis tools
Tools 3
suggest_toolsRecommends the right tools for a specific file type.get_tool_helpRetrieves usage flags and documentation for any installed tool.analyze_fileRuns appropriate tool chains automatically on a file with structured output and IOC extraction.Try it
Original README from REMnux/remnux-mcp-server
remnux-mcp-server
MCP server for using the REMnux malware analysis toolkit via AI assistants.
Overview
This server enables AI assistants (Claude Code, OpenCode, Cursor, etc.) to execute malware analysis tools on a REMnux system. It supports three deployment scenarios:
- AI tool on your machine, REMnux as Docker/VM — MCP server runs on your machine, reaches into REMnux over Docker exec or SSH
- AI tool and MCP server both on REMnux — everything runs locally on the same REMnux system (simplest setup)
- AI tool on your machine, MCP server on REMnux — MCP server runs inside REMnux, your AI tool connects over HTTP
Beyond raw command execution, the server encodes malware analysis domain expertise:
- Recommends the right tools for each file type (
suggest_tools) and retrieves usage flags for any installed tool (get_tool_help) - Runs appropriate tool chains automatically (
analyze_file) with structured output and IOC extraction - Uses neutral language to counteract confirmation bias in AI-generated verdicts
For additional tool documentation, you can optionally enable the REMnux docs MCP server.
Architecture
Three deployment scenarios are supported depending on where the MCP server and AI assistant run.
Scenario 1: Server on Analyst's Machine
The MCP server runs on the analyst's workstation and connects to a separate REMnux system over Docker exec or SSH.
+--------------------------------------------------------------------+
| Analyst's Machine |
| |
| +----------------+ +--------------------------------------+ |
| | AI Assistant |---->| remnux-mcp-server (npm package) | |
| | (Claude Code, | MCP | | |
| | Cursor, etc) | | - Blocked command patterns | |
| +----------------+ | - Dangerous pipe blocking | |
| | - Path sandboxing (opt-in) | |
| +------|-------------------------------+ |
| | |
| +-----------+----------+ |
| v v |
| +--------------+ +--------------+ |
| | Docker Exec | | SSH | |
| | (container) | | (VM) | |
| +------+-------+ +------+-------+ |
| | | |
+-------------------|---------------------|---------------------------+
v v
+-----------+ +-----------+
| REMnux | | REMnux |
| Container | | VM |
+-----------+ +-----------+
Scenario 2: Everything on REMnux
The AI assistant and MCP server both run on the REMnux system. The server uses the Local connector with stdio transport — no network, no Docker exec, no SSH. This is the simplest setup.
+-------------------------------+
| REMnux (VM or bare metal) |
| |
| +----------------+ |
| | AI Assistant | |
| | (Claude Code, | stdio |
| | OpenCode) +--------+ |
| +----------------+ | |
| v |
| +-------------------------+ |
| | remnux-mcp-server | |
| | --mode=local (default) | |
| | | |
| | - Local connector | |
| | - Security layers | |
| +-------------------------+ |
| |
| REMnux tools (native) |
+-------------------------------+
Scenario 3: Server Inside REMnux
The MCP server runs inside the REMnux VM or container using the Local connector. The AI assistant connects over the network via Streamable HTTP transport. This is the deployment scenario used by REMnux salt-states.
+----------------+ Streamable HTTP +------------------------------+
| AI Assistant |----(network)------->| REMnux (VM/Container) |
| (Claude Code, | | |
| Cursor, etc) | | +------------------------+ |
+----------------+ | | remnux-mcp-server | |
| | --mode=local | |
| | --transport=http | |
| | | |
| | - Local connector | |
| | - Security layers | |
| +------------------------+ |