Skip to main content
Opfor can run as an MCP server, exposing its workflow as tools that any MCP-compatible assistant (Cursor, Claude Desktop, Windsurf) can call. Your assistant runs a full red-team from chat — no terminal required.
This is different from attacking an MCP server as a target. Here, opfor is the MCP server. To test an MCP server, see MCP mode in the CLI.

How it works

The assistant calls three tools in sequence:
1

opfor_list_evaluators

Discover available evaluator IDs and suites. Call this first when you haven’t named specific evaluators.
2

opfor_setup

Configure a target and write opfor.config.json. Returns the config path.
3

opfor_run

Generate attacks on the fly, run them, judge responses, and write HTML + JSON reports.
No pre-generated attack file is needed — opfor_run handles generation, execution, and reporting in one shot.

Install

git clone https://github.com/KeyValueSoftwareSystems/agent-opfor.git
cd opfor
npm install
npm run build
Once published to npm, you can skip the clone and run it via npx (see below).

Register the server

Add to ~/.cursor/mcp.json (global) or .cursor/mcp.json (project-scoped):
{
  "mcpServers": {
    "opfor": {
      "command": "node",
      "args": ["/absolute/path/to/opfor/runners/mcp/dist/index.js"]
    }
  }
}
The server reads API keys from your project’s .env automatically — no env block needed in the config.

Usage

Once registered, just talk to your assistant: 
Red team my chatbot at http://localhost:4000/chat
It calls opfor_list_evaluatorsopfor_setupopfor_run and returns a findings summary in chat, with reports saved to disk.

Tools reference

opfor_list_evaluators

No parameters. Returns every evaluator ID, severity, standards map, and all predefined suites.

opfor_setup

Configures a run and writes opfor.config.json. Returns the config path to pass to opfor_run.
ParameterTypeRequiredDescription
target_namestringYesHuman-readable name
target_kindagent | mcpYesagent for HTTP/chatbot, mcp for servers
Agent target (target_kind = "agent"):
ParameterTypeRequiredDescription
agent_endpointstringFor HTTPURL to attack
agent_request_formatauto | openai | jsonNoDefaults to auto
agent_target_api_keystringNoAuth token for the target
agent_script_pathstringFor scriptsPath to a local .js/.py script
agent_descriptionstringNoWhat the agent does
MCP target (target_kind = "mcp"):
ParameterTypeRequiredDescription
mcp_transportstdio | urlNoDefaults to stdio
mcp_commandstringFor stdioCommand to start the server
mcp_argsstring[]NoArguments for the command
mcp_envobjectNoEnv vars for the server process
mcp_urlstringFor urlServer URL (SSE / Streamable HTTP)
Evaluator selection (pick one):
ParameterTypeDescription
suite_idstringSuite ID (e.g. owasp-mcp-top10)
evaluator_idsstring[]Specific evaluator IDs
LLM configuration:
ParameterTypeRequiredDescription
attack_llmobjectYesLLM for generating attacks
judge_llmobjectNoLLM for judging (defaults to attack_llm)
LLM object: { provider, model, api_key_env, base_url? }.Run settings:
ParameterTypeDescription
effortadaptive | comprehensiveDefaults to adaptive
turnsnumber (1–10)Turns per attack; 1 = single-turn (default)
output_dirstringWhere to write the config (default .)
config_pathstringFull config path (overrides output_dir)

opfor_run

Runs the full evaluation from a config produced by opfor_setup.
ParameterTypeRequiredDescription
config_pathstringYesPath to the opfor.config.json
output_dirstringNoReport directory (default: config dir)
effort_overrideadaptive | comprehensiveNoOverride config effort
turns_overridenumber (1–10)NoOverride config turns

API key resolution

The server resolves keys in order:
  1. The env var named in the LLM config’s api_key_env
  2. The provider’s default env var (e.g. OPENAI_API_KEY for openai)
It loads .env from the working directory automatically — keys never go in the MCP config JSON.

Providers

Supported providers and their default env vars.