展示HN:Vishu – 模型上下文协议(MCP)套件
我很高兴地向大家介绍Vishu (MCP) Suite,这是一款我正在开发的开源应用程序,它通过将大型语言模型(LLMs)深度整合到核心工作流程中,采用了一种新颖的漏洞评估和报告方法。
### 大理念是什么?
Vishu (MCP) Suite并不仅仅在最后使用LLMs进行总结,而是将其作为整个评估过程中的核心推理引擎。这是通过一个强大的模型内容协议(MCP)代理框架来管理的,旨在执行复杂的任务。
### 核心功能及LLMs的作用:
1. **智能工作流程编排**:在MCP的指导下,LLM可以:
- **计划和策略制定**:使用顺序思维规划工具,LLM将高层目标(例如:“评估example.com的网络漏洞”)分解为一系列逻辑思考步骤。它甚至可以根据接收到的数据修订其计划!
- **动态工具选择与执行**:根据其计划,LLM从不断扩展的工具库中选择并执行适当的工具。目前的工具包括:
- ◇ 端口扫描(PortScanner)
- ◇ 子域名枚举(SubDomainEnumerator)
- ◇ DNS枚举(DnsEnumerator)
- ◇ 网页内容获取(GetWebPages, SiteMapAndAnalyze)
- ◇ 一般信息和CVE的网络搜索(WebSearch, WebSearch4CVEs)
- ◇ 从向量数据库中获取数据和查询(IngestText2DB, QueryVectorDB, QueryReconData, ProcessAndIngestDocumentation)
- ◇ 从发现中生成综合PDF报告(FetchDomainDataForReport, RetrievePaginatedDataSection, CreatePDFReportWithSummaries)
- **上下文结果分析**:LLM接收工具输出,并利用这些信息来指导其下一步,反思进展并根据需要进行调整。客户端中的REFLECTION_THRESHOLD确保它定期回顾整体策略。
- **独特的MCP代理框架与SSE框架**:
- ◇ MCP代理框架(ReConClient.py):这不仅仅是一个脚本运行器。MCP框架管理“计划”(评估任务),维护与LLM的对话历史,处理工具执行(包括缓存结果),并管理LLM的思维过程。它的设计非常稳健,具备工具调用和LLM调用的重试逻辑等功能。
- ◇ 服务器发送事件(SSE)实现实时交互(Rizzler.py, mcp_client_gui.py):后端(基于FastAPI)通过SSE与客户端(包括Dear PyGui界面)进行通信。这使得:
- ▪ 工具输出的实时流:实时查看端口扫描器或网站映射器发送的数据。
- ▪ 动态更新:GUI实时反映代理的状态、新计划和工具日志。
- ▪ 灵活性与可扩展性:SSE框架使得集成新的流式或长时间运行的工具变得更加容易,并能立即反映其进展。Rizzler.py中的工具注册(@mcpServer.tool())设计为便于扩展。
### 我们需要您的帮助来进一步改进!
这是一个持续进行的项目,我相信它有很大的潜力。我希望社区能够参与进来:
- **试用一下**:克隆代码库,进行设置(您需要一个GOOGLE_API_KEY,可能还需要一个本地的SearXNG实例等——请参见.env模式),并运行一些评估!
- **GitHub代码库**:[https://github.com/seyrup1987/ReconRizzler-Alpha](https://github.com/seyrup1987/ReconRizzler-Alpha)
查看原文
I'm thrilled to introduce Vishu (MCP) Suite, an open-source application I've been developing that takes a novel approach to vulnerability assessment and reporting by deeply integrating Large Language Models (LLMs) into its core workflow.
What's the Big Idea?
Instead of just using LLMs for summarization at the end, Vishu (MCP) Suite employs them as a central reasoning engine throughout the assessment process. This is managed by a robust Model Contet Protocol (MCP) agent scaffolding designed for complex task execution.
Core Capabilities & How LLMs Fit In:
1. Intelligent Workflow Orchestration: The LLM, guided by the MCP, can:
2. • Plan and Strategize: Using a SequentialThinkingPlanner tool, the LLM breaks down high-level goals (e.g., "assess example.com for web vulnerabilities") into a series of logical thought steps. It can even revise its plan based on incoming data!
• Dynamic Tool Selection & Execution: Based on its plan, the LLM chooses and executes appropriate tools from a growing arsenal. Current tools include:
• ◇ Port Scanning (PortScanner)
◇ Subdomain Enumeration (SubDomainEnumerator)
◇ DNS Enumeration (DnsEnumerator)
◇ Web Content Fetching (GetWebPages, SiteMapAndAnalyze)
◇ Web Searches for general info and CVEs (WebSearch, WebSearch4CVEs)
◇ Data Ingestion & Querying from a vector DB (IngestText2DB, QueryVectorDB, QueryReconData, ProcessAndIngestDocumentation)
◇ Comprehensive PDF Report Generation from findings (FetchDomainDataForReport, RetrievePaginatedDataSection, CreatePDFReportWithSummaries)<p>• Contextual Result Analysis: The LLM receives tool outputs and uses them to inform its next steps, reflecting on progress and adapting as needed. The REFLECTION_THRESHOLD in the client ensures it periodically reviews its overall strategy.<p>• Unique MCP Agent Scaffolding & SSE Framework:
• ◇ The MCP-Agent scaffolding (ReConClient.py): This isn't just a script runner. The MCP-scaffolding manages "plans" (assessment tasks), maintains conversation history with the LLM for each plan, handles tool execution (including caching results), and manages the LLM's thought process. It's built to be robust, with features like retry logic for tool calls and LLM invocations.
◇ Server-Sent Events (SSE) for Real-Time Interaction (Rizzler.py, mcp_client_gui.py): The backend (FastAPI based) communicates with the client (including a Dear PyGui interface) using SSE. This allows for:
◇ ▪ Live Streaming of Tool Outputs: Watch tools like port scanners or site mappers send back data in real-time.
▪ Dynamic Updates: The GUI reflects the agent's status, new plans, and tool logs as they happen.
▪ Flexibility & Extensibility: The SSE framework makes it easier to integrate new streaming or long-running tools and have their progress reflected immediately. The tool registration in Rizzler.py (@mcpServer.tool()) is designed for easy extension.<p>We Need Your Help to Make It Even Better!
This is an ongoing project, and I believe it has a lot of potential. I'd love for the community to get involved:
◇ Try it Out: Clone the repo, set it up (you'll need a GOOGLE_API_KEY and potentially a local SearXNG instance, etc. – see .env patterns), and run some assessments!
◇ ▪ GitHub Repo: https://github.com/seyrup1987/ReconRizzler-Alpha