ThreatFox

live Security

abuse.ch IOC feed — IPs, domains, URLs, hashes tied to malware families and campaigns.

4 tools

0ms auth

free tier 50 calls/day

Tools

search_ioc required: indicator

Look up a specific indicator.

Parameters

Name Type Description

indicator req string IP/domain/URL/hash

exact_match opt boolean Default true

▶ Try it

Response

recent_iocs

IOCs from the last N days.

Parameters

Name Type Description

days opt number 1-7

▶ Try it

Response

search_hash required: hash

IOCs associated with a file hash.

Parameters

Name Type Description

hash req string md5/sha1/sha256

▶ Try it

Response

search_malware required: malware

IOCs tagged to a malware family.

Parameters

Name Type Description

malware req string Family name

limit opt number Max records

▶ Try it

Response

Test with curl

The gateway speaks JSON-RPC 2.0 over HTTP POST. You can test any pack directly from the terminal.

List available tools

bash

curl -X POST https://gateway.pipeworx.io/threatfox/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Call a tool

bash

curl -X POST https://gateway.pipeworx.io/threatfox/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"search_ioc","arguments":{"indicator": "example"}}}'

Use with the SDK

Install @pipeworx/sdk to call tools from any TypeScript/Node project.

TypeScript

import { Pipeworx } from '@pipeworx/sdk';
const px = new Pipeworx();
const result = await px.call("search_ioc", {"indicator":"example"});

ask_pipeworx

// Or ask in plain English:
const answer = await px.ask("abuse");

MCP Config

claude_desktop_config.json

{
  "mcpServers": {
    "pipeworx-threatfox": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://gateway.pipeworx.io/threatfox/mcp"
      ]
    }
  }
}