← Back to Skills Marketplace

burp-mcp

Name: burp-mcp
Author: nquangit

by Huỳnh Ngọc Quang · GitHub ↗ · v0.1.0 · MIT-0

win32linuxdarwin ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install burp-mcp

Description

Connect to a local Burp Suite MCP Server over SSE and list or call Burp tools from the workspace. Use when Burp Suite is running with the PortSwigger MCP ext...

README (SKILL.md)

Burp MCP

Use this skill to talk to a local Burp Suite MCP Server exposed by the PortSwigger extension.

When to use

Burp Suite is already running locally
The MCP extension is loaded and enabled
You want to inspect available Burp tools
You want to call a specific Burp MCP tool from the terminal or from OpenClaw via exec

Endpoint

Default endpoint used by this skill:

http://127.0.0.1:9876/

Important: on this machine, the live SSE endpoint is /, not /sse.

Commands

List Burp tools:

python ./skills/burp-mcp/scripts/burp_mcp.py list-tools

Call a Burp tool:

python ./skills/burp-mcp/scripts/burp_mcp.py call \x3Ctool_name> '\x3Cjson_args>'

Examples:

python ./skills/burp-mcp/scripts/burp_mcp.py list-tools
python ./skills/burp-mcp/scripts/burp_mcp.py call get_proxy_http_history '{"offset":0,"count":5}'
python ./skills/burp-mcp/scripts/burp_mcp.py call get_proxy_http_history_regex '{"offset":0,"count":10,"regex":"login|token|auth"}'
python ./skills/burp-mcp/scripts/burp_mcp.py call output_project_options '{}'

How agents should use it

1) Always start with `list-tools`

Burp MCP tool names and schemas can change with extension version. Before calling tools in a new setup, list tools first:

python ./skills/burp-mcp/scripts/burp_mcp.py list-tools

This returns JSON entries with:

name
description
inputSchema

2) Match args to `inputSchema`

When calling a tool, build the JSON object to match the tool's required schema exactly.

Example:

get_proxy_http_history requires:
- offset (integer)
- count (integer)

So call it like:

python ./skills/burp-mcp/scripts/burp_mcp.py call get_proxy_http_history '{"offset":0,"count":20}'

3) Prefer safe read-only tools first

Safe first calls:

get_proxy_http_history
get_proxy_http_history_regex
get_proxy_websocket_history
get_scanner_issues
output_project_options
output_user_options

Be careful with mutation tools such as:

set_project_options
set_user_options
set_proxy_intercept_state
set_task_execution_engine_state
set_active_editor_contents

Output behavior

list-tools prints JSON array of tools
call prints JSON object:
- isError
- content

Burp often returns tool results as text blocks. Some tools return newline-separated JSON strings inside content[].text, so callers may need a second parse step if they want structured output.

Troubleshooting

If connection fails, verify Burp is open and the MCP extension is enabled
If /sse fails, use / instead
If tool calls return schema errors, re-run list-tools and check inputSchema
If nothing returns, test manually with:

curl http://127.0.0.1:9876 -v

A healthy server should return text/event-stream

Notes

Uses the official Python mcp SDK
Requires asyncio
Assumes the mcp package is already installed in the active Python environment

Usage Guidance

This skill appears to do exactly what it says: connect to a local Burp MCP SSE server and list/call tools. Before installing or running it, ensure: (1) Burp Suite with the MCP extension is actually running on localhost as expected, (2) you are comfortable installing the Python 'mcp' package from PyPI — verify its origin and contents, and (3) avoid invoking any Burp tools that mutate state unless you understand their effects (the README and SKILL.md list several mutation-capable tools). The script only reads an optional config.json inside the skill folder and communicates with localhost; there are no requests for external credentials or unexpected network destinations.

Capability Analysis

Type: OpenClaw Skill Name: burp-mcp Version: 0.1.0 The skill provides a legitimate interface for an AI agent to interact with a local Burp Suite instance via the Model Context Protocol (MCP). The implementation in `scripts/burp_mcp.py` uses the official Python MCP SDK to communicate with a local SSE endpoint (defaulting to 127.0.0.1:9876). The instructions in `SKILL.md` are well-structured, align with the code's functionality, and include safety guidance for the agent regarding state-mutating tools. No evidence of data exfiltration, obfuscation, or malicious intent was found.

Capability Assessment

✓ Purpose & Capability

Name/description match the code and instructions: the package contains a Python CLI that uses the Python 'mcp' SDK to talk to a local Burp MCP SSE endpoint. Required binary (python) and optional config.json are appropriate for the stated purpose.

✓ Instruction Scope

SKILL.md and the script limit actions to connecting to a local SSE endpoint (default http://127.0.0.1:9876/), listing tools, and calling tools. The agent is instructed to run the included script; there are no instructions to read unrelated system files or environment variables, nor to transmit data to external endpoints.

ℹ Install Mechanism

The skill is instruction-only (no repository-level install step), but SKILL.md metadata and README mention installing the Python 'mcp' package via pip. Installing a third-party PyPI package is a normal dependency step for this functionality, but the user should verify the 'mcp' package's provenance before installing.

✓ Credentials

No environment variables or credentials are requested. The script reads a local config.json inside the skill directory for an SSE URL (optional) — this is proportional to the goal and limited in scope.

✓ Persistence & Privilege

Skill does not request always:true, does not modify other skills, and does not request persistent system-wide privileges. It runs as an on-demand CLI helper and prints JSON to stdout.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install burp-mcp
After installation, invoke the skill by name or use /burp-mcp
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

Initial release: Python MCP SDK bridge for local Burp Suite MCP over SSE.

Metadata

Slug burp-mcp

Version 0.1.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is burp-mcp?

Connect to a local Burp Suite MCP Server over SSE and list or call Burp tools from the workspace. Use when Burp Suite is running with the PortSwigger MCP ext... It is an AI Agent Skill for Claude Code / OpenClaw, with 51 downloads so far.

How do I install burp-mcp?

Run "/install burp-mcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is burp-mcp free?

Yes, burp-mcp is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does burp-mcp support?

burp-mcp is cross-platform and runs anywhere OpenClaw / Claude Code is available (win32, linux, darwin).

Who created burp-mcp?

It is built and maintained by Huỳnh Ngọc Quang (@nquangit); the current version is v0.1.0.

More Skills