MCP server

disrobe ships a Model Context Protocol server so an AI agent (Claude, Cursor, and other MCP clients) can drive deobfuscation and decompilation directly as tools. It speaks MCP over stdio via rmcp.

Every tool takes inline base64 bytes and returns structured JSON. The server never reads a file from disk based on client input; there is no path parameter on any tool. This is the same hard rule the HTTP/gRPC/LSP transports enforce; see the security posture.

Running it

Two equivalent entry points:

disrobe serve --mcp     # the CLI's MCP companion over stdio
disrobe-mcp             # the standalone MCP binary

Registering with Claude Code

claude mcp add disrobe -- disrobe serve --mcp

Or register the standalone binary:

claude mcp add disrobe -- disrobe-mcp

Registering with a generic MCP client

Most clients accept a JSON server entry. Point command at disrobe (or disrobe-mcp) and run over stdio:

{
  "mcpServers": {
    "disrobe": {
      "command": "disrobe",
      "args": ["serve", "--mcp"]
    }
  }
}

Tool catalog

Tool	Input	Output
`auto`	`bytes_b64`, optional `max_depth`	Chain verdict, detected formats, and per-pass recovery summary. Auto-detects and chains disrobe's Python + native-packer passes.
`decompile`	`bytes_b64`, optional `max_depth`	Every terminal recovered-source artifact (language-keyed text), for example a `.pyc` decompiled to Python.
`ioc`	`bytes_b64`	Indicators of compromise: URLs, domains, IPs, emails, paths, registry keys, wallet addresses, crypto constants (one decode layer of base64/hex).
`behavior`	`bytes_b64`, optional `imports`	Static capability summary across network, filesystem, process-exec, registry-persistence, crypto, anti-analysis, and dynamic-code categories, with MITRE ATT&CK ids.
`strings`	`bytes_b64`, optional `min_len`, `decode`	Printable ASCII + UTF-16 strings, optionally decoding base64/rot/stack-string obfuscation, tagged with their encoding.
`verify`	`bytes_b64`	Verify a `.dr` envelope: blake3 root hash, rung, hot/cold sizes.
`rename`	`old`, `new`, optional `note`	Append a symbol-rename record to `.disrobe/notes/renames.json`.
`annot`	`target`	Regenerate and validate an annotation sidecar under `.disrobe/annotations/`.
`provenance_lookup`	`map_json`, `line`	Look up the provenance entry for a line in a provenance-map document.

The auto and decompile tools cover disrobe's Python and native-packer surface (PyArmor, PyInstaller, SourceDefender, Nuitka, PyFreeze, .pyc disassembly + decompilation, native packers, and container formats), the highest-value chain for an agent triaging an unknown blob. For the full language matrix, drive the CLI or the HTTP daemon.

Example call

A client calls decompile with the base64 of a .pyc and receives the recovered Python:

{
  "name": "decompile",
  "arguments": { "bytes_b64": "4w0NCgAAAAA..." }
}

{
  "schema": "disrobe.decompile/v1",
  "verdict": "Complete",
  "recovered": [
    { "pass": "py.decompile", "language": "Python", "formatted": true, "source": "x = a + b\n..." }
  ]
}

Security posture

The server performs pure static analysis by default and never executes the supplied bytes. It rejects empty or malformed base64 with a typed error, and rejects unknown JSON fields on every tool. Because no tool accepts a filesystem path, there is no way to make the server read an arbitrary file via a client-controlled string. See the forensics and malware-safety posture and the threat model.