maltego-mcp

WIP

Maltego Desktop OSINT integration.

GitHub repo → npm: maltego-mcp →

WHAT IT DOES

maltego-mcp is two cooperating layers for Maltego Graph Desktop. Phase A is a Model Context Protocol server: point an MCP-compatible client at it and the assistant can author Maltego .mtgx graph files and run primitive OSINT lookups (whois, DNS, ASN, certificate transparency). Graphs land on disk and you open them in Maltego Desktop.

Phase B is an optional Python TRX transform pack shipped as a .mtz. It adds right-click pivots into MISP, TheHive, Cortex, and the bundled MITRE ATT&CK dataset directly inside Maltego Desktop. The two phases share the repo and nothing else, so either layer can be uninstalled without breaking the other.

The server does not embed third-party threat-intel clients. For MISP events, ATT&CK techniques, and Cortex reports, call the dedicated MCPs (misp-mcp, mitre-mcp, cortex-mcp) and pipe results into maltego_add_entity / maltego_add_link, or use maltego_build_ioc_graph to fold those summaries into one combined graph.

Status: work in progress. Phase A is published to npm; the surface may keep shifting as Phase B transforms mature. The Basic-friendly demo graph stays under 24 entities to respect Maltego Basic's per-transform result limit.

INSTALL

Phase A is published to npm. Install globally to get the maltego-mcp binary. Requires Node.js 20+ and Maltego Graph Desktop (Basic, Pro, or Enterprise) for the graphs to be useful.

$ npm install -g maltego-mcp

Phase B transforms require a source checkout and Python 3.11+ on the Maltego host.

$ git clone https://github.com/solomonneas/maltego-mcp.git
$ cd maltego-mcp
$ npm install && npm run build
 
# Phase B: build the .mtz transform pack
$ npm run setup:transforms # venv with maltego-trx pinned
$ npm run build:mtz # writes dist/maltego-mcp-transforms.mtz

Both env vars are optional: MALTEGO_MCP_OUTPUT_DIR (default ~/MaltegoGraphs) sets where .mtgx files are written, and MALTEGO_MCP_LOOKUP_TIMEOUT_MS (default 30000) caps the crt.sh lookup. The .mtz bakes in the absolute venv path, so rebuild it if the repo moves.

CLIENT CONFIG

A sample mcpServers entry (Claude Desktop, or any MCP client that reads the same shape). It runs the installed binary over stdio with no required env. 

{
  "mcpServers": {
    "maltego": {
      "command": "maltego-mcp"
    }
  }
}

For Claude Code use claude mcp add maltego -- maltego-mcp. The repo README also documents OpenClaw (including a ClawHub plugin install), Codex CLI, and Hermes Agent, plus source-checkout variants that run node dist/mcp-server.js.

CAPABILITIES / TOOLS EXPOSED

Phase A exposes graph-authoring tools, primitive OSINT lookups, and convenience expanders. Entities use the standard Maltego ontology (IPv4Address, Domain, URL, Hash, AS, Netblock, and so on); use Phrase with a category prefix for concepts without a standard type. Grouped below; see the README for the full per-argument reference.

Graph authoring

maltego_create_graph
Start a new graph; returns a graphId handle.
maltego_add_entity / maltego_add_link
Add typed entities and links between them; each returns an id.
maltego_save_graph / maltego_load_graph
Write a handle to a .mtgx file on disk, or parse an existing .mtgx into a new handle.

Primitive lookups

maltego_whois
Registrar, nameservers, and registration dates for a domain.
maltego_dns
A / AAAA / MX / NS / TXT records for a domain.
maltego_asn
Team Cymru ASN, prefix, country, and org for an IP.
maltego_crtsh
Certificate-transparency log entries for a domain.

Convenience expanders

maltego_expand_ip
IP plus ASN and netblock, saved straight to .mtgx.
maltego_expand_domain
Domain plus whois, DNS, and ASN per A record, saved to .mtgx.
maltego_expand_hash
Hash entity scaffold for later enrichment.
maltego_build_ioc_graph
One IOC plus enrichment summaries from other MCPs, saved as a single .mtgx.

Phase B adds right-click TRX transforms inside Maltego Desktop: pivots into MISP, TheHive, Cortex, and the bundled ATT&CK dataset. See transforms/README.md in the repo.

.mtgx
graph output
.mtz
Phase B transforms
stdio
MCP transport
MIT
license