Two cooperating layers for Maltego Desktop:
- Phase A (TypeScript MCP server): lets an LLM author Maltego
.mtgxgraph files and run primitive OSINT lookups (whois / DNS / ASN / crt.sh). Graphs land on disk and you open them in Maltego Desktop. - Phase B (Python TRX transforms in a
.mtz): adds right-click pivots into MISP, TheHive, Cortex, and the bundled MITRE ATT&CK dataset directly inside Maltego Desktop. Seetransforms/README.md.
The two phases share the repo, nothing else. Either layer can be uninstalled without breaking the other.
Requirements
- Node.js 20+
- Maltego Graph Desktop (Basic, Pro, or Enterprise) for either layer to be useful
- Phase B only: Python 3.11+ on the Maltego host
Tools (Phase A)
Graph authoring
maltego_create_graph(name)— returnsgraphIdmaltego_add_entity(graphId, type, value, properties?)— returnsentityIdmaltego_add_link(graphId, from, to, label?, properties?)— returnslinkIdmaltego_save_graph(graphId, path, overwrite?)— writes.mtgxmaltego_load_graph(path)— parses an existing.mtgxinto a new handle
Primitive lookups
maltego_whois(domain)— registrar, nameservers, datesmaltego_dns(domain)— A/AAAA/MX/NS/TXTmaltego_asn(ip)— Team Cymru ASN, prefix, country, orgmaltego_crtsh(domain)— certificate transparency entries
Convenience expanders
maltego_expand_ip(ip, outputPath, overwrite?)— IP + ASN + netblock, saved as.mtgxmaltego_expand_domain(domain, outputPath, overwrite?)— domain + whois + DNS + ASN per A recordmaltego_expand_hash(hash, outputPath, algorithm?, overwrite?)— hash entity (extend in later versions)
Entity types
Standard Maltego ontology: IPv4Address, IPv6Address, Domain, URL, Hash, EmailAddress, Netblock, AS, Website, Company, Person. For concepts without a standard type, use Phrase with a category prefix ([T1566] Phishing, [TheHive] Case #42).
Composing with other MCPs
maltego-mcp does not embed third-party threat-intel clients. For MISP events, ATT&CK techniques, Cortex reports, etc., call the dedicated MCPs (misp-mcp, mitre-mcp, cortex-mcp, etc.) and pipe results into maltego_add_entity / maltego_add_link. Or, for in-Maltego pivots, install Phase B (below).
Install
npm install -g maltego-mcp
Or from source (required for Phase B transforms):
git clone https://github.com/solomonneas/maltego-mcp.git
cd maltego-mcp
npm install
npm run build
Configuration
Both env vars are optional.
| Variable | Default | Description |
|---|---|---|
MALTEGO_MCP_OUTPUT_DIR | ~/MaltegoGraphs | Default output directory for .mtgx files |
MALTEGO_MCP_LOOKUP_TIMEOUT_MS | 30000 | Per-lookup timeout in ms (currently applied to crt.sh only; whois, dns, asn use library defaults) |
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"maltego": {
"command": "maltego-mcp"
}
}
}
Or, when running from a source checkout instead of the global npm install:
{
"mcpServers": {
"maltego": {
"command": "node",
"args": ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]
}
}
}
Restart Claude Desktop. The maltego_* tools should appear.
Claude Code
claude mcp add maltego -- maltego-mcp
Or from a source checkout:
claude mcp add maltego -- node /absolute/path/to/maltego-mcp/dist/mcp-server.js
Add --scope user to make it available from any directory instead of only the current project.
OpenClaw
Recommended: install as an OpenClaw plugin via ClawHub.
openclaw plugins install clawhub:maltego
systemctl --user restart openclaw-gateway
openclaw plugins list # confirm "maltego" is registered
This installs the same package as a native OpenClaw plugin — tool calls go through the plugin SDK directly instead of spawning a separate stdio MCP process. Configure outputDir and lookupTimeoutMs in OpenClaw's plugin config UI or via the JSON config file.
Or, register as a stdio MCP server (manual):
openclaw mcp set maltego '{
"command": "maltego-mcp"
}'
Or, when running from a source checkout:
openclaw mcp set maltego '{
"command": "node",
"args": ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]
}'
Then restart the OpenClaw gateway so the new server is picked up:
systemctl --user restart openclaw-gateway
openclaw mcp list # confirm "maltego" is registered
Hermes Agent
Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:
mcp_servers:
maltego:
command: "maltego-mcp"
Or, when running from a source checkout:
mcp_servers:
maltego:
command: "node"
args: ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]
Then reload MCP from inside a Hermes session:
/reload-mcp
Codex CLI
Codex CLI registers MCP servers via codex mcp add:
codex mcp add maltego -- maltego-mcp
Or from a source checkout:
codex mcp add maltego -- node /absolute/path/to/maltego-mcp/dist/mcp-server.js
Codex writes the entry to ~/.codex/config.toml under [mcp_servers.maltego]. Verify with:
codex mcp list
Phase B: in-Maltego transforms (.mtz)
A separate Python transform layer ships right-click pivots into MISP, TheHive, Cortex, and ATT&CK directly inside Maltego Desktop. See transforms/README.md for full setup.
Quick start (from a source checkout, on the Maltego host):
npm run setup:transforms # creates transforms/.venv with maltego-trx pinned
npm run build:mtz # writes dist/maltego-mcp-transforms.mtz
# Then in Maltego: Import -> Configuration -> dist/maltego-mcp-transforms.mtz
The build bakes the absolute path of transforms/.venv into the manifest, so the .mtz is tied to the host that built it. Re-run npm run build:mtz if the repo moves.
Example prompts
Build me a Maltego graph for the domain
example.comwith whois, DNS, and ASN expansion.
Calls maltego_expand_domain and returns the path to the saved .mtgx.
Pivot from this IP — give me ASN + netblock as a Maltego graph.
Calls maltego_expand_ip.
Look up the cert transparency log for
example.com.
Calls maltego_crtsh and returns matching certificates.
Development
npm test # Phase A unit tests (vitest)
npm run test:integration
npm run test:all
npm run typecheck
npm run test:transforms # Phase B pytest suite