Two cooperating layers for Maltego Desktop:

• Phase A (TypeScript MCP server): lets an LLM author Maltego .mtgx graph files and run primitive OSINT lookups (whois / DNS / ASN / crt.sh). Graphs land on disk and you open them in Maltego Desktop.
• Phase B (Python TRX transforms in a .mtz): adds right-click pivots into MISP, TheHive, Cortex, and the bundled MITRE ATT&CK dataset directly inside Maltego Desktop. See transforms/README.md.

The two phases share the repo, nothing else. Either layer can be uninstalled without breaking the other.

• Node.js 20+
• Maltego Graph Desktop (Basic, Pro, or Enterprise) for either layer to be useful
• Phase B only: Python 3.11+ on the Maltego host

Graph authoring

• maltego_create_graph(name) — returns graphId
• maltego_add_entity(graphId, type, value, properties?) — returns entityId
• maltego_add_link(graphId, from, to, label?, properties?) — returns linkId
• maltego_save_graph(graphId, path, overwrite?) — writes .mtgx
• maltego_load_graph(path) — parses an existing .mtgx into a new handle

Primitive lookups

• maltego_whois(domain) — registrar, nameservers, dates
• maltego_dns(domain) — A/AAAA/MX/NS/TXT
• maltego_asn(ip) — Team Cymru ASN, prefix, country, org
• maltego_crtsh(domain) — certificate transparency entries

Convenience expanders

• maltego_expand_ip(ip, outputPath, overwrite?) — IP + ASN + netblock, saved as .mtgx
• maltego_expand_domain(domain, outputPath, overwrite?) — domain + whois + DNS + ASN per A record
• maltego_expand_hash(hash, outputPath, algorithm?, overwrite?) — hash entity (extend in later versions)

Standard Maltego ontology: IPv4Address, IPv6Address, Domain, URL, Hash, EmailAddress, Netblock, AS, Website, Company, Person. For concepts without a standard type, use Phrase with a category prefix ([T1566] Phishing, [TheHive] Case #42).

maltego-mcp does not embed third-party threat-intel clients. For MISP events, ATT&CK techniques, Cortex reports, etc., call the dedicated MCPs (misp-mcp, mitre-mcp, cortex-mcp, etc.) and pipe results into maltego_add_entity / maltego_add_link. Or, for in-Maltego pivots, install Phase B (below).

npm install -g maltego-mcp

Or from source (required for Phase B transforms):

git clone https://github.com/solomonneas/maltego-mcp.git
cd maltego-mcp
npm install
npm run build

Both env vars are optional.

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "maltego": {
      "command": "maltego-mcp"
    }
  }
}

Or, when running from a source checkout instead of the global npm install:

{
  "mcpServers": {
    "maltego": {
      "command": "node",
      "args": ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]
    }
  }
}

Restart Claude Desktop. The maltego_* tools should appear.

claude mcp add maltego -- maltego-mcp

Or from a source checkout:

claude mcp add maltego -- node /absolute/path/to/maltego-mcp/dist/mcp-server.js

Add --scope user to make it available from any directory instead of only the current project.

Recommended: install as an OpenClaw plugin via ClawHub.

openclaw plugins install clawhub:maltego
systemctl --user restart openclaw-gateway
openclaw plugins list   # confirm "maltego" is registered

This installs the same package as a native OpenClaw plugin — tool calls go through the plugin SDK directly instead of spawning a separate stdio MCP process. Configure outputDir and lookupTimeoutMs in OpenClaw's plugin config UI or via the JSON config file.

Or, register as a stdio MCP server (manual):

openclaw mcp set maltego '{
  "command": "maltego-mcp"
}'

Or, when running from a source checkout:

openclaw mcp set maltego '{
  "command": "node",
  "args": ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]
}'

Then restart the OpenClaw gateway so the new server is picked up:

systemctl --user restart openclaw-gateway
openclaw mcp list   # confirm "maltego" is registered

Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:

mcp_servers:
  maltego:
    command: "maltego-mcp"

Or, when running from a source checkout:

mcp_servers:
  maltego:
    command: "node"
    args: ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]

Then reload MCP from inside a Hermes session:

/reload-mcp

Codex CLI registers MCP servers via codex mcp add:

codex mcp add maltego -- maltego-mcp

Or from a source checkout:

codex mcp add maltego -- node /absolute/path/to/maltego-mcp/dist/mcp-server.js

Codex writes the entry to ~/.codex/config.toml under [mcp_servers.maltego]. Verify with:

codex mcp list

A separate Python transform layer ships right-click pivots into MISP, TheHive, Cortex, and ATT&CK directly inside Maltego Desktop. See transforms/README.md for full setup.

Quick start (from a source checkout, on the Maltego host):

npm run setup:transforms     # creates transforms/.venv with maltego-trx pinned
npm run build:mtz            # writes dist/maltego-mcp-transforms.mtz
# Then in Maltego: Import -> Configuration -> dist/maltego-mcp-transforms.mtz

The build bakes the absolute path of transforms/.venv into the manifest, so the .mtz is tied to the host that built it. Re-run npm run build:mtz if the repo moves.

Build me a Maltego graph for the domain example.com with whois, DNS, and ASN expansion.

Calls maltego_expand_domain and returns the path to the saved .mtgx.

Pivot from this IP — give me ASN + netblock as a Maltego graph.

Calls maltego_expand_ip.

Look up the cert transparency log for example.com.

Calls maltego_crtsh and returns matching certificates.

npm test                # Phase A unit tests (vitest)
npm run test:integration
npm run test:all
npm run typecheck
npm run test:transforms # Phase B pytest suite

MIT