Memory Shell Detector

Provides Java memory shell detection and cleanup capabilities via MCP with local or SSH execution.
  • python

11

GitHub Stars

python

Language

5 months ago

First Indexed

2 months ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "ruoji6-memory-shell-mcp": {
      "command": "uvx",
      "args": [
        "memory-shell-mcp"
      ],
      "env": {
        "SSH_HOST": "192.0.2.10",
        "SSH_PORT": "22",
        "JAVA_HOME": "/usr/lib/jvm/java-8-openjdk",
        "TOOLS_DIR": "/opt/tools/memory-shell-detector",
        "SSH_KEY_PATH": "/home/user/.ssh/id_rsa",
        "SSH_PASSWORD": "your_password",
        "SSH_USERNAME": "root"
      }
    }
  }
}

Memory Shell Detector MCP is a Java memory shell detection and cleanup tool built on FastMCP. It lets you run detection locally or over SSH, automatically analyse suspicious Java code, and remove memory shells with AI-assisted confirmation. This MCP helps you quickly identify and sanitize memory shells in Java applications while providing configurable execution and reporting options.

How to use

You can run the Memory Shell Detector MCP from a client that supports Model Context Protocol (MCP). Choose a local or remote execution path, scan Java processes, analyze suspicious classes, and remove confirmed memory shells with AI confirmation. You can export a detection report for future audits.

How to install

Prerequisites you need before installing and running memory-shell-detector MCP: Python 3.10 or newer, Java JDK 1.8 or newer on the target machines, and uvx as the MCP deployment runner.

Step-by-step local installation and run flow you can follow:

# 1) Install the MCP package in a Python virtual environment
uv venv --python python3.12
source .venv/bin/activate  # Linux/macOS
# .venv\Scripts\activate   # Windows

uv pip install -e .

# 2) Run the MCP locally
memory-shell-mcp

Configuration and usage details

The MCP can be exposed to clients via stdio (local execution) configurations. Three example configurations are provided for common MCP clients. Each config uses the stdio interface with the command and arguments shown.

{
  "mcpServers": {
    "memory_shell_detector_kiro": {
      "command": "uvx",
      "args": ["memory-shell-mcp"],
      "env": {}
    }
  }
}
{
  "mcpServers": {
    "memory_shell_detector_claude": {
      "command": "uvx",
      "args": ["memory-shell-mcp"],
      "env": {}
    }
  }
}
{
  "mcpServers": {
    "memory_shell_detector_dev": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/path/to/memory-shell-mcp",
        "memory-shell-mcp"
      ],
      "env": {}
    }
  }
}

Security features

Before removing a memory shell, the tool fetches the source code for AI analysis. Removal is performed only after AI confirmation (ai_confirmed=true). The system also handles removal confirmations automatically to ensure a safe and auditable cleanup.

Environment and prerequisites

Optional environment variables are supported to customize behavior. If not set, tools download to a system temporary directory. SSH parameters can be provided on the fly via AI conversations and take precedence over environment variables.

Usage flow overview

Complete detection workflow includes downloading tools, listing Java processes, scanning a target process, viewing decompiled class code for suspicious classes, confirming memory shells, removing them, re-scanning to verify, and exporting a report.

Troubleshooting and notes

  • Ensure you have sufficient permissions to scan and modify the target processes. - Use the same or compatible JDK versions on the target machines and the tool. - If an agent-based memory shell is detected, removal may require a restart of the affected application. - Removals can impact running services; plan maintenance windows and back up data as needed.

Tools and capabilities overview

Key capabilities include executing commands locally or via SSH, downloading detection tools, listing Java processes, scanning processes, viewing suspicious class code, removing memory shells with AI confirmation, exporting reports, and gathering system information and network status.

Examples and prompts

You can prompt the AI to perform a local or remote memory shell check by outlining steps: download tools, list Java processes, scan a target PID, inspect suspicious classes, confirm and remove, re-scan, and export a final report.

Available tools

execute_command

Run a command either locally or over SSH to interact with the target JVM.

download_detector_tools

Download the memory shell detector tools and dependencies.

list_java_processes

List all running Java processes on the target machine.

scan_process

Scan a specific Java process to identify suspicious classes.

view_class_code

Decompile and view source for a suspicious class to aid analysis.

remove_memory_shell

Remove confirmed memory shell by class name from a target PID after AI confirmation.

export_report

Export a detection report detailing findings and actions taken.

get_system_info_tool

Collect system information to help assess the environment.

check_network

Check network status and connections related to detected memory shells.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational