mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-10 14:28:43 +02:00
1.7 KiB
1.7 KiB
Plugin Development
Plugins can integrate with CyberStrikeAI through HTTP APIs, MCP servers, or resource packs such as tools, roles, Skills, and agents.
Plugin Layers
| Layer | Example | Benefit | Cost |
|---|---|---|---|
| API plugin | Burp extension calls /api/eino-agent |
simple UI integration | depends on API/auth |
| MCP plugin | exposes tools to Agent | Agent can call it | needs schema and safety design |
| Resource pack | ships tools/roles/skills/agents | simple and versionable | less interactive |
Do not start with MCP unless the Agent must actively call your capability.
API Plugin Payload
Include:
- source tool and context;
- target URL, method, key headers;
- truncation policy for request/response bodies;
- user intent;
- authorization boundary.
Large responses should be uploaded or summarized, not pasted whole into the prompt.
MCP Schema Design
Bad:
{"cmd":{"type":"string"}}
Better:
{
"target_url": {"type":"string","description":"authorized target URL"},
"scan_profile": {"type":"string","enum":["passive","active-safe"]},
"max_requests": {"type":"integer","description":"request limit"}
}
Specific schemas make HITL and Agent behavior safer.
Security Boundaries
Plugins should not bypass platform controls:
- no hidden destructive local commands;
- no plaintext long-lived credentials;
- no default third-party data exfiltration;
- no dependency on browser state to bypass login.
Source Anchors
- Burp plugin:
plugins/burp-suite/cyberstrikeai-burp-extension/src/main/java/burp/ - OpenAPI:
internal/handler/openapi.go - External MCP:
internal/handler/external_mcp.go