14 anonymous tools for AI agents. All are invoked over JSON-RPC 2.0 at POST /api/mcp via tools/call. See the machine-readable OpenAPI spec and API tiers.
Analyze email headers for security threats. Detects phishing, BEC patterns, spoofing (homoglyph + typosquat), and SPF/DKIM/DMARC failures. Returns a 0-100 threat score, severity level, and detailed indicators. Stateless and safe for anonymous use.
{
"type": "object",
"required": [
"from"
],
"properties": {
"from": {
"type": "string",
"description": "From header (e.g., 'John Doe <john@example.com>')"
},
"replyTo": {
"type": "string",
"description": "Reply-To header"
},
"subject": {
"type": "string",
"description": "Subject line for BEC pattern detection"
},
"authenticationResults": {
"type": "string",
"description": "Authentication-Results header"
},
"receivedSpf": {
"type": "string",
"description": "Received-SPF header"
},
"recipientDomain": {
"type": "string",
"description": "Recipient domain for spoofing detection"
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_analyze_headers","arguments":{}}}'Check whether an email address appears in known data breaches (public, anonymous). Returns breach count, most recent breach date, and per-breach name/date/data-classes. Does not return passwords or any PII beyond the queried email. No authentication required.
{
"type": "object",
"required": [
"value"
],
"properties": {
"value": {
"type": "string",
"description": "Email address to check."
},
"type": {
"type": "string",
"enum": [
"email",
"domain"
],
"description": "email (default). Domain-wide search is reserved for the API tier."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_check_email_breaches","arguments":{}}}'Look up a domain's registration age via RDAP (public, anonymous). Returns ageInDays, createdAt, registrar, and a riskLevel — newly registered domains are a top phishing signal. No authentication required.
{
"type": "object",
"required": [
"domain"
],
"properties": {
"domain": {
"type": "string",
"description": "Domain or URL to look up."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_check_domain_age","arguments":{}}}'Generate likely lookalike/typosquat domains for a brand domain and report which are registered and their threat verdict (public, anonymous). Returns up to 10 candidates with similarity scores. No authentication required.
{
"type": "object",
"required": [
"domain"
],
"properties": {
"domain": {
"type": "string",
"description": "Brand domain to protect (e.g., 'paypal.com')."
},
"threshold": {
"type": "number",
"description": "Minimum similarity 0-1 (default 0.85)."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_check_lookalike_domains","arguments":{}}}'Structured WHOIS/RDAP summary for a domain plus a red-flags list (newly registered, privacy-protected, no registrar) (public, anonymous). No authentication required.
{
"type": "object",
"required": [
"domain"
],
"properties": {
"domain": {
"type": "string",
"description": "Domain or URL to look up."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_whois_summary","arguments":{}}}'Look up and interpret a domain's DMARC policy via DNS (public, anonymous). Returns policy, subdomain policy, pct, reporting addresses, a strong/weak/missing verdict, and recommendations. No authentication required.
{
"type": "object",
"required": [
"domain"
],
"properties": {
"domain": {
"type": "string",
"description": "Domain to check (e.g., 'example.com')."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_check_dmarc","arguments":{}}}'Look up and interpret a domain's SPF record via DNS (public, anonymous). Returns the record, mechanisms, the 'all' qualifier, a strong/weak/missing verdict, and recommendations. No authentication required.
{
"type": "object",
"required": [
"domain"
],
"properties": {
"domain": {
"type": "string",
"description": "Domain to check."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_check_spf","arguments":{}}}'Look up a DKIM key for a domain + selector via DNS (public, anonymous). Returns whether a key is configured and its type. No authentication required.
{
"type": "object",
"required": [
"domain",
"selector"
],
"properties": {
"domain": {
"type": "string",
"description": "Domain to check."
},
"selector": {
"type": "string",
"description": "DKIM selector (e.g., 'google', 'selector1')."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_check_dkim","arguments":{}}}'Score the risk of an OAuth app by its requested scopes, name, and publisher (public, anonymous). Returns a verdict, scope risk score, capabilities, and signals. Does not expose any per-user grant history. No authentication required.
{
"type": "object",
"properties": {
"appId": {
"type": "string",
"description": "OAuth app/client ID (optional)."
},
"appName": {
"type": "string",
"description": "App display name (optional)."
},
"publisherDomain": {
"type": "string",
"description": "Publisher domain (optional)."
},
"permissions": {
"type": "array",
"items": {
"type": "string"
},
"description": "Requested OAuth scopes/permissions (optional but recommended)."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_check_oauth_app_reputation","arguments":{}}}'Extract indicators of compromise (URLs, domains, emails, IPs, file hashes) from a block of text and check each URL/domain/IP against InboxWatch's threat corpus (public, anonymous). Regex-based extraction, max 10000 chars. No authentication required.
{
"type": "object",
"required": [
"text"
],
"properties": {
"text": {
"type": "string",
"description": "Raw text (email source, log, message) to scan for IOCs. Max 10000 chars."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_extract_iocs","arguments":{}}}'Interpret a sequence of security events into a narrative, an attack-pattern label, MITRE ATT&CK techniques, severity, and recommended actions (public, anonymous). Max 20 events. No authentication required.
{
"type": "object",
"required": [
"events"
],
"properties": {
"events": {
"type": "array",
"description": "Chronological events. Max 20.",
"items": {
"type": "object",
"required": [
"timestamp",
"type",
"description"
],
"properties": {
"timestamp": {
"type": "string",
"description": "ISO timestamp."
},
"type": {
"type": "string",
"description": "Event type (e.g., 'signin', 'rule_created')."
},
"description": {
"type": "string",
"description": "Human-readable description."
}
}
}
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_interpret_attack_chain","arguments":{}}}'Generate a phishing-simulation TRAINING template for security-awareness programs, customized by industry, role, and attack type (public, anonymous). Output is clearly marked training-only. Refuses targeting of named individuals, politicians, or journalists. No authentication required.
{
"type": "object",
"required": [
"industry",
"targetRole"
],
"properties": {
"industry": {
"type": "string",
"description": "Target industry (e.g., 'healthcare')."
},
"targetRole": {
"type": "string",
"description": "Generic job role (e.g., 'accounts payable clerk'). Not a person's name."
},
"attackType": {
"type": "string",
"enum": [
"credential_phish",
"invoice_fraud",
"vendor_impersonation",
"executive_impersonation"
],
"description": "Scenario type (default credential_phish)."
},
"language": {
"type": "string",
"description": "Language code (default 'en'; templates are English in the public tier)."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_generate_phishing_template","arguments":{}}}'Validate a video-meeting link (Zoom, Teams, Google Meet, Webex) (public, anonymous). Confirms the host is an official platform domain and flags brand-spoofing lookalikes (e.g., zoom-meeting.attacker.com). No authentication required.
{
"type": "object",
"required": [
"url"
],
"properties": {
"url": {
"type": "string",
"description": "The meeting URL to check."
}
}
}curl -s https://inboxwatch.ai/api/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"inboxwatch_check_meeting_link_safety","arguments":{}}}'