展示HN:Vishu – 模型上下文协议(MCP)套件
我很高兴地介绍Vishu (MCP) Suite,这是一个我正在开发的开源应用程序,它通过将大型语言模型(LLMs)深度集成到核心工作流程中,采用了一种新颖的漏洞评估和报告方法。
主要理念是什么?
Vishu (MCP) Suite并不仅仅在最后使用LLMs进行总结,而是将其作为整个评估过程中的核心推理引擎。这是通过一个强大的模型内容协议(MCP)代理框架来管理,旨在执行复杂任务。
核心功能及LLMs的应用:
1. 智能工作流编排:在MCP的指导下,LLM可以:
- 计划和策略制定:使用顺序思维规划工具,LLM将高层目标(例如,“评估example.com的网络漏洞”)分解为一系列逻辑思考步骤。它甚至可以根据输入数据修订其计划!
- 动态工具选择与执行:根据其计划,LLM从不断增长的工具库中选择并执行合适的工具。目前的工具包括:
- 端口扫描(PortScanner)
- 子域枚举(SubDomainEnumerator)
- DNS枚举(DnsEnumerator)
- 网页内容获取(GetWebPages, SiteMapAndAnalyze)
- 一般信息和CVE的网络搜索(WebSearch, WebSearch4CVEs)
- 从向量数据库中进行数据摄取与查询(IngestText2DB, QueryVectorDB, QueryReconData, ProcessAndIngestDocumentation)
- 从发现中生成全面的PDF报告(FetchDomainDataForReport, RetrievePaginatedDataSection, CreatePDFReportWithSummaries)
2. 上下文结果分析:LLM接收工具输出,并利用这些信息来指导其下一步,反思进展并根据需要进行调整。客户端中的REFLECTION_THRESHOLD确保其定期审查整体策略。
3. 独特的MCP代理框架与SSE框架:
- MCP-Agent框架(ReConClient.py):这不仅仅是一个脚本执行器。MCP框架管理“计划”(评估任务),维护与LLM的对话历史,处理工具执行(包括缓存结果),并管理LLM的思维过程。它被设计得非常稳健,具备重试逻辑等功能。
- 服务器发送事件(SSE)实现实时交互(Rizzler.py, mcp_client_gui.py):后端(基于FastAPI)通过SSE与客户端(包括Dear PyGui界面)进行通信。这使得:
- 工具输出的实时流式传输:实时观看像端口扫描器或网站映射器这样的工具发送回数据。
- 动态更新:GUI实时反映代理的状态、新计划和工具日志。
- 灵活性与可扩展性:SSE框架使得集成新的流式或长时间运行的工具变得更加容易,并能立即反映其进展。Rizzler.py中的工具注册(@mcpServer.tool())旨在便于扩展。
我们需要您的帮助来使其更好!
这是一个持续进行的项目,我相信它有很大的潜力。我希望社区能够参与进来:
- 尝试一下:克隆代码库,进行设置(您需要一个GOOGLE_API_KEY和可能的本地SearXNG实例等——请参见.env模式),并进行一些评估!
- GitHub代码库:https://github.com/seyrup1987/ReconRizzler-Alpha
查看原文
I'm thrilled to introduce Vishu (MCP) Suite, an open-source application I've been developing that takes a novel approach to vulnerability assessment and reporting by deeply integrating Large Language Models (LLMs) into its core workflow.
What's the Big Idea?
Instead of just using LLMs for summarization at the end, Vishu (MCP) Suite employs them as a central reasoning engine throughout the assessment process. This is managed by a robust Model Contet Protocol (MCP) agent scaffolding designed for complex task execution.
Core Capabilities & How LLMs Fit In:
1. Intelligent Workflow Orchestration: The LLM, guided by the MCP, can:
2. • Plan and Strategize: Using a SequentialThinkingPlanner tool, the LLM breaks down high-level goals (e.g., "assess example.com for web vulnerabilities") into a series of logical thought steps. It can even revise its plan based on incoming data!
• Dynamic Tool Selection & Execution: Based on its plan, the LLM chooses and executes appropriate tools from a growing arsenal. Current tools include:
• ◇ Port Scanning (PortScanner)
◇ Subdomain Enumeration (SubDomainEnumerator)
◇ DNS Enumeration (DnsEnumerator)
◇ Web Content Fetching (GetWebPages, SiteMapAndAnalyze)
◇ Web Searches for general info and CVEs (WebSearch, WebSearch4CVEs)
◇ Data Ingestion & Querying from a vector DB (IngestText2DB, QueryVectorDB, QueryReconData, ProcessAndIngestDocumentation)
◇ Comprehensive PDF Report Generation from findings (FetchDomainDataForReport, RetrievePaginatedDataSection, CreatePDFReportWithSummaries)<p>• Contextual Result Analysis: The LLM receives tool outputs and uses them to inform its next steps, reflecting on progress and adapting as needed. The REFLECTION_THRESHOLD in the client ensures it periodically reviews its overall strategy.<p>• Unique MCP Agent Scaffolding & SSE Framework:
• ◇ The MCP-Agent scaffolding (ReConClient.py): This isn't just a script runner. The MCP-scaffolding manages "plans" (assessment tasks), maintains conversation history with the LLM for each plan, handles tool execution (including caching results), and manages the LLM's thought process. It's built to be robust, with features like retry logic for tool calls and LLM invocations.
◇ Server-Sent Events (SSE) for Real-Time Interaction (Rizzler.py, mcp_client_gui.py): The backend (FastAPI based) communicates with the client (including a Dear PyGui interface) using SSE. This allows for:
◇ ▪ Live Streaming of Tool Outputs: Watch tools like port scanners or site mappers send back data in real-time.
▪ Dynamic Updates: The GUI reflects the agent's status, new plans, and tool logs as they happen.
▪ Flexibility & Extensibility: The SSE framework makes it easier to integrate new streaming or long-running tools and have their progress reflected immediately. The tool registration in Rizzler.py (@mcpServer.tool()) is designed for easy extension.<p>We Need Your Help to Make It Even Better!
This is an ongoing project, and I believe it has a lot of potential. I'd love for the community to get involved:
◇ Try it Out: Clone the repo, set it up (you'll need a GOOGLE_API_KEY and potentially a local SearXNG instance, etc. – see .env patterns), and run some assessments!
◇ ▪ GitHub Repo: https://github.com/seyrup1987/ReconRizzler-Alpha