LimaCharlie
FreeNot checkedA local MCP server for the LimaCharlie security platform that provides investigation, administration, and content-review workflows via a broad read-only tool su
About
A local MCP server for the LimaCharlie security platform that provides investigation, administration, and content-review workflows via a broad read-only tool surface with explicit organization scoping and audit logging.
README
A local MCP for LimaCharlie setup, administration, investigations, and tuning.
This is an alternative to the LimaCharlie hosted MCP. It uses LimaCharlie API surfaces directly, requires explicit scope for data, records a local audit line for each tool call, and can start adding value even with just read-only access.
Why?
Doesn't LimaCharlie already have an MCP? Yes.
Is something wrong with the LimaCharlie MCP? Nope.
Then... why? I love LimaCharlie, I had some free time, and wanted something that made LimaCharlie more accessible to people who dont live in the dark realm of EDR internals.
The official LimaCharlie docs describe:
- a hosted HTTP MCP endpoint at
https://mcp.limacharlie.io/mcp, - OAuth, JWT, and org API key authentication options,
- CLI and SDK helper surfaces layered on top of the same APIs.
This server is different: it runs locally over stdio, exchanges an org API key for short-lived LimaCharlie JWTs, refreshes those JWTs automatically, and calls the APIs directly. That avoids shelling out to the CLI and keeps the MCP implementation small and reviewable.
Install From Geoff's Plugins
The easiest agent-facing install path is the geoffs-plugins marketplace:
/plugin marketplace add geoffbelknap/geoffs-plugins
/plugin install limacharlie-mcp@geoffs-plugins
The plugin handles running the MCP server. Configure auth once before calling LimaCharlie tools.
By default, setup uses a managed local
Vault so the long-lived LimaCharlie API
key is not accidentally stored in chat history, .env files, MCP client
configuration, or audit logs. The MCP uses that protected key to mint
short-lived LimaCharlie JWTs when tools need API access.
First-Time Auth Setup
You need two values from LimaCharlie: an organization ID and a temporary bootstrap API key.
- Open LimaCharlie, login, and choose your organization.
- Copy the org ID from the URL:
app.limacharlie.io/orgs/<org-id>/.... - Open a terminal on the host running your MCP, swap in your org ID where it
says
paste-your-org-id-here, and run this:
uvx --from git+https://github.com/geoffbelknap/limacharlie-mcp \
limacharlie-mcp-configure \
--oid "paste-your-org-id-here" \
--provision-runtime-key
The command will print a temporary bootstrap key name and stop at a hidden
LimaCharlie API key secretprompt. Leave it waiting there.Go back to your browser and head to
Organization Settings->Access Management->REST API.Click
Create API Key, name it exactly what the command printed, and give it only:org.get apikey.ctrlThe setup command uses this temporary key to create one dedicated runtime key named
limacharlie-mcp-runtime, stores that runtime key in local Vault, and verifies it. It does not print either secret.Don't bother adding
live_stream.ctrl; this MCP does not expose live firehose or streaming telemetry tools. Spraying high pressure random telemetry at an AI is great for burning tokens, but it ain't going to make you more secure.Create your bootstrap key and copy the secret from the LimaCharlie dashboard.
Switch back to the terminal and paste the secret into the hidden prompt. It will not end up in your shell history.
After setup verifies the runtime key, delete the printed bootstrap key from LimaCharlie. The runtime key is already stored in Vault.
Then start a new chat with your favorite AI tool, with the plugin enabled, and ask:
Check my LimaCharlie MCP auth status.
The agent should confirm credentials are configured without showing secrets.
For screenshots, permissions, user API key mode, advanced deployment, and troubleshooting, see Onboarding And Auth.
What You Can Ask It To Do
Start with one of these:
- "Check my LimaCharlie MCP auth status."
- "Show me which LimaCharlie MCP profile and tools are available."
- "Review my LimaCharlie org posture."
- "List my LimaCharlie sensors."
- "Triage this LimaCharlie detection."
- "Help me tune noisy LimaCharlie detections."
The MCP is split into focused profiles so normal agent sessions do not need to load every tool at once:
| Profile | Intended use |
|---|---|
core |
Auth, org discovery, runtime status, schemas, ontology, and downloads. |
fleet |
Sensor onboarding, installation keys, tags, online state, and fleet maintenance. |
admin |
Organizations, users, groups, API keys, billing, outputs, extensions, and org configuration. |
content |
D&R, false positives, YARA, Hive content, lookups, playbooks, SOPs, and content governance. |
detect |
Bounded detection triage, events, cases, IOC lookups, audit, search, artifacts, and jobs. |
contain |
Endpoint containment, response tasking, reliable tasks, job cancellation, and supporting evidence. |
evict |
Response tasking plus content/YARA workflows used to remove adversary footholds. |
recover |
Post-incident recovery verification and restoration previews. |
review |
Read-only posture review, tuning, content coverage, case backlog, and access hygiene. |
Ask the agent to call lc_tool_catalog when you want the current profile's
exact tool list.
Safety Model
This MCP is meant to help an agent work carefully, not turn LimaCharlie into an unbounded data pump.
- Tools use bounded reads with explicit org scope, limits, cursors, selectors, or time windows.
- Response and administration changes use preview/confirm flows.
- API keys, JWTs, Vault tokens, and secret values are not returned in tool responses or audit excerpts.
- Live telemetry streaming, spout, and firehose surfaces are intentionally not exposed. Use LimaCharlie outputs, storage, SIEM pipelines, or purpose-built stream processors for operational telemetry streams.
More Help
- First-time setup, screenshots, user API keys, and reauth: Onboarding And Auth
- Advanced operator deployment and MCP client config: Deployment
- LimaCharlie docs: https://docs.limacharlie.io/
- LimaCharlie API key docs: https://docs.limacharlie.io/7-administration/access/api-keys/
Installing LimaCharlie
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/geoffbelknap/limacharlie-mcpFAQ
Is LimaCharlie MCP free?
Yes, LimaCharlie MCP is free — one-click install via Unyly at no cost.
Does LimaCharlie need an API key?
No, LimaCharlie runs without API keys or environment variables.
Is LimaCharlie hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install LimaCharlie in Claude Desktop, Claude Code or Cursor?
Open LimaCharlie on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare LimaCharlie with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
