Web Recon Agent

Name: Web Recon Agent
Author: joepangallo

joepangallo/web-recon-agent

Run allowlisted, owned-target web recon and security assessment from your coding agent before or after shipping authenticated apps.

Overview

io.github.joepangallo/web-recon-agent is a MCP server for the Ship phase that runs allowlisted web security assessment jobs against owned or authorized targets.

What is this MCP server?

Requires MCP_TARGET_ALLOWLIST hostnames before any scan runs
MCP_OWNED_TARGETS unlocks active and owned-aggressive modes for hosts you control
stdio npm package mcp-web-recon-agent (v0.8.1)
Optional MCP_MAX_CONCURRENT caps parallel jobs (default 2)
Optional MCP_JOB_STORE_PATH persists job metadata (default mcp-jobs.json)
Package version 0.8.1
Default MCP_MAX_CONCURRENT is 2
Transport: stdio via npm identifier mcp-web-recon-agent

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Solo builders hardening login-heavy apps lack a safe, agent-callable way to run recon without drifting onto unauthorized hosts.

Who is it for?

Indie developers shipping SaaS with auth who control staging domains and want MCP-driven security passes on an explicit hostname list.

Skip if: Builders scanning third-party sites, bug-bounty targets without written scope, or teams that need a managed SaaS scanner with no local ops.

What do I get? / Deliverables

After you register the server with allowlists and optional owned-target flags, your agent can launch bounded concurrent assessment jobs with persisted metadata.

Agent-invokable scan jobs against allowlisted hosts
Optional persisted job history via MCP_JOB_STORE_PATH
Concurrency-bounded parallel assessments (default max 2)

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Security assessment and reconnaissance belong in Ship where solo builders harden and verify what they are about to release or already run in production. Matches the security subphase because the server is explicitly framed as web security assessment for high-friction, authenticated targets—not generic browsing or docs lookup.

How it compares

MCP security recon integration, not a Claude skill or a passive documentation search server.

Common Questions / FAQ

Who is io.github.joepangallo/web-recon-agent for?

It is for developers and agent workflows that need owned-target web security assessment on authenticated apps, with mandatory hostname allowlisting.

When should I use io.github.joepangallo/web-recon-agent?

Use it during Ship security work when you have defined hosts in MCP_TARGET_ALLOWLIST and optionally MCP_OWNED_TARGETS for stronger modes on property you control.

How do I add io.github.joepangallo/web-recon-agent to my agent?

Add the stdio npm package mcp-web-recon-agent to your MCP client config, set MCP_TARGET_ALLOWLIST (required), then restart the agent so tools load over stdio.

Web Recon Agent

joepangallo/web-recon-agent

Run allowlisted, owned-target web recon and security assessment from your coding agent before or after shipping authenticated apps.

Overview

io.github.joepangallo/web-recon-agent is a MCP server for the Ship phase that runs allowlisted web security assessment jobs against owned or authorized targets.

What is this MCP server?

Requires MCP_TARGET_ALLOWLIST hostnames before any scan runs
MCP_OWNED_TARGETS unlocks active and owned-aggressive modes for hosts you control
stdio npm package mcp-web-recon-agent (v0.8.1)
Optional MCP_MAX_CONCURRENT caps parallel jobs (default 2)
Optional MCP_JOB_STORE_PATH persists job metadata (default mcp-jobs.json)
Package version 0.8.1
Default MCP_MAX_CONCURRENT is 2
Transport: stdio via npm identifier mcp-web-recon-agent

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Solo builders hardening login-heavy apps lack a safe, agent-callable way to run recon without drifting onto unauthorized hosts.

Who is it for?

Indie developers shipping SaaS with auth who control staging domains and want MCP-driven security passes on an explicit hostname list.

Skip if: Builders scanning third-party sites, bug-bounty targets without written scope, or teams that need a managed SaaS scanner with no local ops.

What do I get? / Deliverables

After you register the server with allowlists and optional owned-target flags, your agent can launch bounded concurrent assessment jobs with persisted metadata.

Agent-invokable scan jobs against allowlisted hosts
Optional persisted job history via MCP_JOB_STORE_PATH
Concurrency-bounded parallel assessments (default max 2)

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

How it compares

MCP security recon integration, not a Claude skill or a passive documentation search server.

Common Questions / FAQ

Who is io.github.joepangallo/web-recon-agent for?

It is for developers and agent workflows that need owned-target web security assessment on authenticated apps, with mandatory hostname allowlisting.

When should I use io.github.joepangallo/web-recon-agent?

Use it during Ship security work when you have defined hosts in MCP_TARGET_ALLOWLIST and optionally MCP_OWNED_TARGETS for stronger modes on property you control.

How do I add io.github.joepangallo/web-recon-agent to my agent?

Add the stdio npm package mcp-web-recon-agent to your MCP client config, set MCP_TARGET_ALLOWLIST (required), then restart the agent so tools load over stdio.

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is io.github.joepangallo/web-recon-agent for?

When should I use io.github.joepangallo/web-recon-agent?

How do I add io.github.joepangallo/web-recon-agent to my agent?

This week for builders

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is io.github.joepangallo/web-recon-agent for?

When should I use io.github.joepangallo/web-recon-agent?

How do I add io.github.joepangallo/web-recon-agent to my agent?