jshookmcp
jshookmcp is an MCP server providing 402+ tools across 36 domains for JavaScript analysis, browser automation, and security research. It integrates with AI agents (Claude, Cursor) to enable reverse engineering, network interception, WASM analysis, and runtime debugging without global installation.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | vmoranv/jshookmcp |
| Owner | vmoranv |
| Primary language | TypeScript |
| License | AGPL-3.0 — OSI-approved |
| Stars | 1.7k |
| Forks | 435 |
| Open issues | 3 |
| Latest release | Unknown |
| Last updated | 2026-07-05 |
| Source | https://github.com/vmoranv/jshookmcp |
What jshookmcp is
TypeScript-based MCP server exposing declarative tools for CDP debugging, JS hooks, AST transforms, process forensics, and composite workflows. Features lazy initialization, BM25+vector hybrid search, tool annotations (readOnly/destructive hints), and state restoration across HTTP multiplexed sessions.
Get the jshookmcp source
Clone the repository and explore it locally.
git clone https://github.com/vmoranv/jshookmcp.gitcd jshookmcp# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Confirm Node.js 22.12+ availability in target deployment environment; no backward compatibility to earlier LTS versions.
- AGPL-3.0 copyleft: any proprietary wrapper or derivative must open-source linked code. Establish legal clearance before shipping.
- MCP server expects JSON config (claude_desktop_config.json or Cursor equivalent); ensure client supports MCP protocol and auto-discovery of 402+ tools.
- Runtime state restoration relies on HTTP multiplexing; validate network resilience and session timeout behavior in your deployment.
- Tool coverage report and schema-first validation available via `describe_tool` and `coverage_report`; use these to reduce parameter errors in production calls.
When to avoid it — and what to weigh
- Strict Proprietary Software License Required — AGPL-3.0 requires source disclosure and derivative works to remain open. If your product must remain closed-source, this is not suitable without significant legal review.
- Limited to Older Node.js Versions — Requires Node.js 22.12+, which may conflict with legacy enterprise environments locked to older LTS versions.
- No Production-Grade SLA or Commercial Support — This is a community project with no guaranteed uptime, security patch SLA, or vendor support. Not appropriate for mission-critical compliance-driven systems.
- High Maintenance Burden for Customization — While hot-reload plugins exist, integrating specialized forensics tools (IDA, custom Frida scripts) or hardened reverse-engineering pipelines requires deep domain expertise.
License & commercial use
AGPL-3.0 (GNU Affero General Public License v3.0). All source code modifications and distributed derivative works must be open-sourced and made available under the same license. Network use (e.g., SaaS wrapper) triggers disclosure obligations.
Commercial use of the unmodified tool is permitted under AGPL-3.0, but any proprietary extension, integration, or SaaS deployment requires open-sourcing your modifications and linked code. Direct commercial support (SLA, vendor liability, security indemnification) is not offered. Requires legal review before shipping in closed-source products.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Project uses browser automation, network interception (MiTM), process/memory forensics, and native FFI scanning. No security audit or CVE history provided. CAPTCHA solving is manual-input driven (reduces exploitation risk vs. auto-solving). Ensure sandboxing/isolation when analyzing untrusted code; reverse-engineering toolchain (Frida, WASM disasm) can execute arbitrary payloads. Use in isolated environments; validate certificate pinning and proxy trust boundaries before production.
Alternatives to consider
Puppeteer + custom Node.js scripts
Lighter-weight, permissive MIT license, mature ecosystem. Requires manual tooling for deobfuscation, WASM analysis, and forensics; no MCP integration.
Ghidra + IDA Pro + Frida (standalone)
Industry-standard reverse engineering, larger community, commercial support available. No native MCP/AI integration; requires manual orchestration and scripting.
Commercial API security platforms (Rapid7, Qualys, etc.)
Vendor-backed SLA, compliance certifications, incident response. Higher cost; less flexibility for custom AI-driven workflows; may not expose low-level JS hooks and CDP.
Build on jshookmcp with DEV.co software developers
Contact Devco to assess AGPL-3.0 compliance, Node.js infrastructure fit, and AI integration strategy. We'll help you prototype secure deployments and validate custom reverse-engineering pipelines.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
jshookmcp FAQ
Can I use this in a closed-source commercial product?
What is the minimum Node.js version?
Does this replace Puppeteer or Playwright?
Is there vendor support or an SLA?
Work with a software development agency
Adopting jshookmcp is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate mcp servers software in production.
Ready to Evaluate jshookmcp for Your Security & Reverse Engineering Needs?
Contact Devco to assess AGPL-3.0 compliance, Node.js infrastructure fit, and AI integration strategy. We'll help you prototype secure deployments and validate custom reverse-engineering pipelines.