MCP Observatory
github re-analysis due

iksnerd/hopper-recon

github

Self-hosted attack-surface recon — point it at a domain you own and map subdomains, DNS, TLS, HTTP, CDN, and historical URLs in one dashboard. The same tools run over MCP, so AI agents (Claude Code, Cline) can drive recon too.

maintainer
iksnerd
license
MIT
first seen
2026-06-07
last seen
2026-06-07
releases · 30d
3
short id

Drift inferred · capture-to-capture

No drift recorded — single capability capture; advisories appear once its surface changes.

capabilities 9 tools
transport stdio · http counts 9 tools · 0 res · 0 prompts permission surface via code analysis

tools

  • check_cdn

    cdncheck

  • expand_subdomains

    alterx

  • fetch_tls_cert

    tlsx

  • find_urls

    urlfinder

  • lookup_geoip

    geoip2-golang

  • passive_subdomains

    subfinder

  • probe_http

    httpx

  • resolve_dns

    dnsx

  • resolve_mutations

    alterx + dnsx

skills & danger signals github-tarball
prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed commit 4652f1b · analyzer v17 · 1d ago

skills & prompt files 2

code evidence vv0.3.3 · github-tarball
evidence-backed findings quoted directly from the published source artifact — not inferred

network 8

  • net iksnerd-hopper-recon-4652f1b/web/src/app/(app)/dashboard/page.tsx :106 const res = await fetch("/api/scan", {
  • net iksnerd-hopper-recon-4652f1b/web/src/app/(app)/history/[domain]/page.tsx :92 const r = await fetch(`/api/scans/domains/${encodeURIComponent(domain)}`)
  • net iksnerd-hopper-recon-4652f1b/web/src/app/(app)/history/page.tsx :113 const r = await fetch("/api/scans/domains")
  • net iksnerd-hopper-recon-4652f1b/web/src/app/(app)/settings/page.tsx :32 fetch("/api/config", { cache: "no-store", signal: ac.signal })
  • net iksnerd-hopper-recon-4652f1b/web/src/app/api/config/route.ts :9 const res = await fetch(`${baseUrl}/config`, { cache: "no-store" })
  • net iksnerd-hopper-recon-4652f1b/web/src/app/api/readyz/route.ts :10 const res = await fetch(`${baseUrl}/readyz`, { cache: "no-store" })
  • net iksnerd-hopper-recon-4652f1b/web/src/components/recon/operator-warning-banner.tsx :46 fetch("/api/config", { cache: "no-store" })
  • net iksnerd-hopper-recon-4652f1b/web/src/lib/engine-client.ts :30 const res = await fetch(`${baseUrl}${path}`, {

declared dependencies 37

  • @base-ui/react@^1.4.1
  • @opennextjs/cloudflare@^1.19.6
  • @tanstack/react-query@^5.100.9
  • @tanstack/react-query-devtools@^5.100.9
  • class-variance-authority@^0.7.1
  • clsx@^2.1.1
  • cmdk@^1.1.1
  • cobe@^2.0.1
  • date-fns@^4.1.0
  • embla-carousel-react@^8.6.0
  • input-otp@^1.4.2
  • lucide-react@^1.14.0
  • next@16.2.6
  • next-themes@^0.4.6
  • radix-ui@^1.4.3
  • react@19.2.4
  • react-day-picker@^9.14.0
  • react-dom@19.2.4
  • react-resizable-panels@^4.11.0
  • recharts@^3.8.0
  • shadcn@^4.7.0
  • sonner@^2.0.7
  • tailwind-merge@^3.5.0
  • tw-animate-css@^1.4.0
  • vaul@^1.1.2
  • @cloudflare/workers-types@^4.20260506.1
  • @tailwindcss/postcss@^4
  • @types/node@^20
  • @types/react@^19
  • @types/react-dom@^19
  • babel-plugin-react-compiler@1.0.0
  • eslint@^9
  • eslint-config-next@16.2.6
  • tailwindcss@^4
  • typescript@^5
  • vitest@^4.1.5
  • wrangler@^4.88.0