DEV.co
MCP Servers · vmoranv

jshookmcp

jshookmcp is an MCP server providing 402+ tools across 36 domains for JavaScript analysis, browser automation, and security research. It integrates with AI agents (Claude, Cursor) to enable reverse engineering, network interception, WASM analysis, and runtime debugging without global installation.

Source: GitHub — github.com/vmoranv/jshookmcp
1.7k
GitHub stars
435
Forks
TypeScript
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryvmoranv/jshookmcp
Ownervmoranv
Primary languageTypeScript
LicenseAGPL-3.0 — OSI-approved
Stars1.7k
Forks435
Open issues3
Latest releaseUnknown
Last updated2026-07-05
Sourcehttps://github.com/vmoranv/jshookmcp

What jshookmcp is

TypeScript-based MCP server exposing declarative tools for CDP debugging, JS hooks, AST transforms, process forensics, and composite workflows. Features lazy initialization, BM25+vector hybrid search, tool annotations (readOnly/destructive hints), and state restoration across HTTP multiplexed sessions.

Quickstart

Get the jshookmcp source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/vmoranv/jshookmcp.gitcd jshookmcp# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

AI-Assisted JavaScript Deobfuscation & Reverse Engineering

Leverage LLM-powered analysis combined with AST transforms, source-map reconstruction, and WASM disassembly to accelerate security research and malware analysis workflows.

Security & Threat Analysis at Scale

Use browser automation, network interception (HTTP/2 frame building, MiTM capture), Frida/Ghidra bridges, and memory forensics to analyze obfuscated code, detect crypto, and investigate suspicious payloads.

Full-Stack Browser Testing & Debugging

Automate Chromium/Camoufox testing with anti-detection, CAPTCHA handling, CDP debugging, coverage tracking, and session isolation per client for comprehensive QA and performance analysis.

Implementation considerations

  • Confirm Node.js 22.12+ availability in target deployment environment; no backward compatibility to earlier LTS versions.
  • AGPL-3.0 copyleft: any proprietary wrapper or derivative must open-source linked code. Establish legal clearance before shipping.
  • MCP server expects JSON config (claude_desktop_config.json or Cursor equivalent); ensure client supports MCP protocol and auto-discovery of 402+ tools.
  • Runtime state restoration relies on HTTP multiplexing; validate network resilience and session timeout behavior in your deployment.
  • Tool coverage report and schema-first validation available via `describe_tool` and `coverage_report`; use these to reduce parameter errors in production calls.

When to avoid it — and what to weigh

  • Strict Proprietary Software License Required — AGPL-3.0 requires source disclosure and derivative works to remain open. If your product must remain closed-source, this is not suitable without significant legal review.
  • Limited to Older Node.js Versions — Requires Node.js 22.12+, which may conflict with legacy enterprise environments locked to older LTS versions.
  • No Production-Grade SLA or Commercial Support — This is a community project with no guaranteed uptime, security patch SLA, or vendor support. Not appropriate for mission-critical compliance-driven systems.
  • High Maintenance Burden for Customization — While hot-reload plugins exist, integrating specialized forensics tools (IDA, custom Frida scripts) or hardened reverse-engineering pipelines requires deep domain expertise.

License & commercial use

AGPL-3.0 (GNU Affero General Public License v3.0). All source code modifications and distributed derivative works must be open-sourced and made available under the same license. Network use (e.g., SaaS wrapper) triggers disclosure obligations.

Commercial use of the unmodified tool is permitted under AGPL-3.0, but any proprietary extension, integration, or SaaS deployment requires open-sourcing your modifications and linked code. Direct commercial support (SLA, vendor liability, security indemnification) is not offered. Requires legal review before shipping in closed-source products.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Project uses browser automation, network interception (MiTM), process/memory forensics, and native FFI scanning. No security audit or CVE history provided. CAPTCHA solving is manual-input driven (reduces exploitation risk vs. auto-solving). Ensure sandboxing/isolation when analyzing untrusted code; reverse-engineering toolchain (Frida, WASM disasm) can execute arbitrary payloads. Use in isolated environments; validate certificate pinning and proxy trust boundaries before production.

Alternatives to consider

Puppeteer + custom Node.js scripts

Lighter-weight, permissive MIT license, mature ecosystem. Requires manual tooling for deobfuscation, WASM analysis, and forensics; no MCP integration.

Ghidra + IDA Pro + Frida (standalone)

Industry-standard reverse engineering, larger community, commercial support available. No native MCP/AI integration; requires manual orchestration and scripting.

Commercial API security platforms (Rapid7, Qualys, etc.)

Vendor-backed SLA, compliance certifications, incident response. Higher cost; less flexibility for custom AI-driven workflows; may not expose low-level JS hooks and CDP.

Software development agency

Build on jshookmcp with DEV.co software developers

Contact Devco to assess AGPL-3.0 compliance, Node.js infrastructure fit, and AI integration strategy. We'll help you prototype secure deployments and validate custom reverse-engineering pipelines.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

jshookmcp FAQ

Can I use this in a closed-source commercial product?
Not without legal review. AGPL-3.0 requires you to open-source any modifications and code linked to it. Even a SaaS wrapper must disclose source. Consult your legal team before proceeding.
What is the minimum Node.js version?
Node.js 22.12+. No backward compatibility to earlier LTS versions (20.x, 18.x). Verify availability in your deployment pipeline.
Does this replace Puppeteer or Playwright?
No. jshookmcp augments browser automation with AI-driven deobfuscation, memory forensics, WASM analysis, and reverse engineering. Use it alongside or instead of these tools depending on your security research vs. QA needs.
Is there vendor support or an SLA?
No. This is a community-maintained project. Security patches, bug fixes, and feature updates depend on volunteer contributions. Not recommended for mission-critical production systems without internal engineering capacity.

Work with a software development agency

Adopting jshookmcp is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate mcp servers software in production.

Ready to Evaluate jshookmcp for Your Security & Reverse Engineering Needs?

Contact Devco to assess AGPL-3.0 compliance, Node.js infrastructure fit, and AI integration strategy. We'll help you prototype secure deployments and validate custom reverse-engineering pipelines.