Server data from the Official MCP Registry
Privacy-first AWS security in your AI: attack paths & fix simulation, IDs never sent to the LLM.
Privacy-first AWS security in your AI: attack paths & fix simulation, IDs never sent to the LLM.
The MCP server architecture is sound with privacy-first design (local tokenization), but the backend has several security concerns. Critical issues include unsafe subprocess execution without input validation, overly broad CORS configuration, inadequate rate limiting with in-memory storage that resets on restart, and missing validation on key endpoints. The codebase lacks comprehensive input sanitization and error handling, creating moderate risk for denial-of-service and potential code execution vulnerabilities. Supply chain analysis found 8 known vulnerabilities in dependencies (0 critical, 4 high severity). Package verification found 1 issue.
4 files analyzed · 23 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: EMFIRGE_PRIVACY
Environment variable: EMFIRGE_BASE_URL
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-theanshsonkar-emfirge": {
"env": {
"EMFIRGE_PRIVACY": "your-emfirge-privacy-here",
"EMFIRGE_BASE_URL": "your-emfirge-base-url-here"
},
"args": [
"-y",
"@emfirge/mcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
AWS security that lives inside your AI. Attack paths, blast radius, fix simulations — all from a conversation.
MCP-native · Claude · Cursor · Kiro · Cline · Continue · Codex CLI · Privacy-first

"Show me the worst attack path from the internet" — emfirge_simulate_breach in Claude Code. AWS IDs are tokenized locally (strict mode) before they reach the LLM.
You: scan my AWS, role arn:aws:iam::123456789012:role/EmfirgeReadOnly
Claude: Scanned 47 resources. Risk score: 38/100 (HIGH).
3 critical findings, 2 toxic combos.
Worst path: INTERNET → SG_001 → EC2_001 → S3_001 (crown jewel).
Want me to walk the full kill chain?
You: verify a fix — close port 22 on that security group
Claude: Simulated. Score jumps 38 → 62. Resolves 2 findings, breaks 0 paths.
Safe to apply.
The AI isn't guessing. Emfirge clones your infrastructure graph, applies the change, and re-runs 58 deterministic rules. Claude reads back what the engine proved — not what it imagined.
npx @emfirge/mcp install
Auto-detects every supported MCP client, wires Emfirge in, picks a privacy mode. Restart your client, then ask:
"Scan my AWS account, role
arn:aws:iam::123456789012:role/EmfirgeReadOnly, region us-east-1"
No AWS account? Use the demo ARN — zero setup:
arn:aws:iam::194722410583:role/EmfirgeReadOnly
region: us-east-1
"Scan with
arn:aws:iam::194722410583:role/EmfirgeReadOnlyinus-east-1"
No role yet but want to scan your real AWS? Say "help me set up Emfirge" — your assistant hands you a one-click CloudFormation deploy link.
Free. 15 scans/day per AWS account. No signup. No API keys.
Need a visual graph? emfirge.cloud — same engine, browser UI, free during beta.
npx @emfirge/mcp install # auto-wire to all detected MCP clients
npx @emfirge/mcp uninstall # remove from all clients
npx @emfirge/mcp status # show what's wired up + privacy mode
npx @emfirge/mcp privacy <mode> # strict | balanced | off
npx @emfirge/mcp tokens # list local token mappings
npx @emfirge/mcp purge --role-arn <ARN> # delete all your scan data
Env vars, per-client config paths, manual install fallback → mcp/README.md.
Coverage: EC2, Lambda, ECS, S3, EBS, RDS, IAM, Secrets Manager, KMS, VPC, Security Groups, WAF, CloudFront, SNS, CloudTrail, GuardDuty, CloudWatch, AWS Config, Budgets — 16 services, 58 rules.
In the default strict mode, the MCP tokenizes every AWS identifier
locally before any data reaches your LLM. The mapping lives at
~/.emfirge/tokens.json — never sent to Emfirge, Anthropic, or anyone.
What the LLM sees: "INTERNET → SG_001 → EC2_001 → S3_001"
What's on your disk: SG_001 = sg-0a1b2c3d
EC2_001 = i-0abc...
S3_001 = acme-prod-data
Three modes, switch any time:
| Mode | What's tokenized | Best for |
|---|---|---|
strict (default) | Every AWS ID — ARNs, EC2/SG/IAM/S3, IPs, account IDs, bucket names | Banks, healthcare, regulated industries |
balanced | ARNs, EC2/SG/EIP/IAM IDs, IPs, account IDs. Subnets/VPCs/volumes raw. | Most users |
off | Nothing — raw IDs go to the LLM | Personal accounts, demo, debugging |
npx @emfirge/mcp privacy strict|balanced|off
Backend retention is 90 days. Run npx @emfirge/mcp purge --role-arn <ARN>
to wipe everything, instantly. Full story in PRIVACY.md.
┌──────────────┐ role ARN ┌──────────────┐ read-only ┌─────┐
│ Your laptop │──────────────▶│ emfirge.cloud│─────────────▶│ AWS │
│ (MCP host) │ │ (scanner) │ STS, 1 hr └─────┘
└──────┬───────┘ └──────┬───────┘
│ │
│ tokenized IDs │ findings + graph
▼ ▼
┌──────────────┐ ┌──────────────┐
│ Your LLM │ │ Postgres + S3│
│ (Claude/etc) │ │ (90-day TTL)│
└──────────────┘ └──────────────┘
The MCP runs on your laptop. Your LLM only ever sees tokenized IDs — the mapping never leaves your machine. The backend assumes your read-only IAM role with a 1-hour STS token, scans, saves findings for 90 days, then auto-deletes.
| Tool | What it does |
|---|---|
emfirge_setup_help | Returns the CloudFormation deploy URL |
emfirge_scan | Run a scan, returns score + analysis_id |
emfirge_get_findings | Pull findings, filterable by severity |
emfirge_attack_paths | Internet → crown-jewel paths + chokepoints |
emfirge_verify_fix | Simulate a fix, see real score delta |
emfirge_check_compliance | CIS / SOC 2 per-control status |
emfirge_simulate_breach | Full kill-chain walkthrough — attack stages, blast radius, follow-up moves |
All 7 tools are deterministic on the backend — no LLM calls inside the MCP path. Your host LLM is the only AI in the loop, and in
strictmode it only ever sees tokenized data.
BUSL 1.1 — free for any non-production use, free in production up to $1M ARR or 100 employees. Auto-converts to Apache 2.0 in 2030. Contributors agree to the same terms — see CONTRIBUTING.md.
Built by Ansh Sonkar — LinkedIn · emfirge.cloud
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.