agent-tool
MCP (Model Context Protocol) tool server for AI coding agents.
Why?
Built-in tools in AI coding agents (Claude Code, Cursor, Codex, etc.) have known limitations:
- Tab indentation breaks: LLMs output spaces, but your project uses tabs. The built-in Edit tool writes spaces as-is, corrupting your indentation style.
- Encoding corruption: Editing EUC-KR, Shift-JIS, or GB18030 files silently converts them to UTF-8, breaking legacy projects.
- Too many separate tools: Making the agent find, install, and configure Redis CLI, MySQL client, SSH client, etc. is tedious and error-prone. agent-tool bundles 43 tools into a single binary — one install, everything works.
- Network censorship: In some countries, government-level web filtering breaks plain
curl/wgetrequests. agent-tool uses ECH (Encrypted Client Hello) and DoH (DNS over HTTPS) by default to work around these restrictions.
agent-tool solves these by providing drop-in replacement tools that respect your project's conventions.
Supported Agents
Claude Code, Codex CLI, Cursor, Windsurf, Cline, Gemini CLI, and any MCP-compatible agent.
Features
| Tool | Description | Status |
|---|---|---|
| Edit | String replacement with smart indentation and encoding preservation (supports dry_run) | ✅ |
| Read | Encoding-aware file reading with line range support | ✅ |
| Write | Encoding-aware file creation/overwrite | ✅ |
| Grep | Encoding-aware regex content search | ✅ |
| Glob | File pattern matching with ** recursive support | ✅ |
| ListDir | Directory listing (flat or tree) | ✅ |
| Diff | Compare two files with unified diff output (encoding-aware) | ✅ |
| Patch | Apply unified diff patch to a file (supports dry_run) | ✅ |
| Checksum | Compute file hash (md5, sha1, sha256) | ✅ |
| FileInfo | File metadata (size, encoding, line ending, indentation, line count) | ✅ |
| Compress | Create zip / tar.gz archives | ✅ |
| Decompress | Extract zip / tar.gz archives (Zip Slip/Bomb protection) | ✅ |
| Backup | Timestamped zip backup with exclude patterns. dry_run preview with directory stats, pattern match counts, and largest files | ✅ |
| ConvertEncoding | Convert file encoding (EUC-KR ↔ UTF-8, add/remove BOM, etc.) | ✅ |
| Delete | Safe single-file deletion (no directories, no symlinks, system path protection, dry_run) | ✅ |
| Rename | Atomic file/directory rename or move (dry_run) | ✅ |
| SysInfo | System information — OS, CPU, RAM, disk, uptime, CPU usage measurement | ✅ |
| FindTools | Discover installed dev tools — compilers, runtimes, build systems (Go, .NET, Node, Python, Java, Rust, C/C++, etc.). Searches PATH, env vars, and known locations (~/bin, snap, scoop, Homebrew, SDKMAN, nvm, fnm, pyenv) | ✅ |
| ProcList | List running processes — PID, name, command line, memory. Sensitive args auto-masked. Filter by name or port | ✅ |
| ProcKill | Kill, suspend, or resume processes by PID or port. Tree kill, signal selection (kill/term/hup/int/stop/cont), zombie handling (Linux), dry_run | ✅ |
| ProcExec | Execute commands as new processes. Foreground/background/suspended start (Windows: CREATE_SUSPENDED, Linux: SIGSTOP). Timeout, env vars | ✅ |
| EnvVar | Read environment variables. Sensitive values (passwords, tokens) auto-masked | ✅ |
| Firewall | Read firewall rules — iptables/nftables/firewalld (Linux), netsh (Windows). Read-only | ✅ |
| SSH | Execute commands on remote servers via SSH. Password & key auth (PEM, OpenSSH, PuTTY PPK), session pooling, host key verification (strict/tofu/none), ProxyJump, IPv6 | ✅ |
| SFTP | Transfer files and manage remote filesystems over SSH. Upload, download, ls, stat, mkdir, rm, chmod, rename. Reuses SSH session pool. Max 2 GB per transfer | ✅ |
| Bash | Persistent shell sessions with working directory and environment variable retention. Session pooling (max 5, idle timeout 30 min). Unix: bash/sh, Windows: PowerShell/git-bash/cmd (auto-detected, best available). PowerShell sessions include UTF-8 encoding and PATH enhancement | ✅ |
| WebFetch | Fetch web content as text/Markdown. ECH (Encrypted Client Hello) + DoH (DNS over HTTPS) by default. HTML→Markdown auto-conversion. SSRF protection. HTTP/SOCKS5 proxy. Chrome User-Agent | ✅ |
| WebSearch | Web search via Brave Search or Naver API. Requires API key env vars (BRAVE_SEARCH_API_KEY or NAVER_CLIENT_ID/NAVER_CLIENT_SECRET). Auto-selects engine, Brave preferred | ✅ |
| Download | Download files from URLs to disk. ECH + DoH by default. SSRF protection. HTTP/SOCKS5 proxy. Atomic write. Max 2 GB | ✅ |
| HTTPReq | Execute HTTP requests with any method (GET/POST/PUT/PATCH/DELETE/HEAD/OPTIONS). API testing with custom headers, body, proxy. SSRF protection | ✅ |
| JSONQuery | Query JSON files with dot-notation paths (e.g. dependencies.react, items[*].id). Extract specific values without loading entire file into context | ✅ |
| YAMLQuery | Query YAML files with dot-notation paths (same syntax as JSONQuery) | ✅ |
| TOMLQuery | Query TOML files with dot-notation paths (same syntax as JSONQuery). Supports TOML-specific types (datetime, int64) | ✅ |
| Copy | Copy files/directories with atomic write and permission preservation. Recursive directory copy. dry_run preview | ✅ |
| Mkdir | Create directories with optional permission mode (octal, e.g. 0755). Recursive by default (mkdir -p). dry_run preview | ✅ |
| MultiRead | Read multiple files in a single call to reduce API round-trips. Encoding-aware, offset/limit support. Max 50 files | ✅ |
| RegexReplace | Regex find-and-replace across files/directories. Encoding-preserving, capture groups ($1, $2). dry_run preview | ✅ |
| TLSCheck | Check TLS certificate details — subject, issuer, expiry, SANs, TLS version, cipher suite | ✅ |
| DNSLookup | DNS record lookup (A/AAAA/MX/CNAME/TXT/NS/SOA). DNS over HTTPS (DoH) by default for privacy | ✅ |
| MySQL | Execute SQL queries on MySQL/MariaDB. Table-formatted SELECT results, affected rows for DML. Max 1000 rows | ✅ |
| Redis | Execute Redis commands with formatted output by type. TLS support. Dangerous commands (FLUSHALL, SHUTDOWN, etc.) blocked | ✅ |
| PortCheck | Check if a TCP port is open on a host. Returns OPEN/CLOSED with response time. Supports hostname, IPv4, IPv6 | ✅ |
| ExternalIP | Get your external (public) IP address. Multiple providers with automatic fallback (ipify, ifconfig.me, icanhazip) | ✅ |
| SLOC | Count source lines of code per language. 70+ language detection, per-file/language breakdown, blank line stats, max_depth control | ✅ |
| SetConfig | Change runtime settings (encoding, file size limit, symlinks, workspace, etc.) | ✅ |
| Help | Built-in usage guide for agents (encoding, indentation, troubleshooting) | ✅ |
Key Improvements
Smart Indentation
LLMs typically output spaces, but many projects use tabs. AgentTool auto-converts indentation to match the file's existing style.
- Reads
.editorconfigforindent_styleandindent_size - Falls back to content-based detection (first 100 lines)
- Protects legacy files: won't convert if actual content contradicts
.editorconfig
Encoding Preservation
Edits preserve the original file encoding instead of forcing UTF-8.
- Detection priority:
.editorconfigcharset → chardet auto-detection → fallback encoding - Supported: UTF-8, UTF-8 BOM, EUC-KR, Shift-JIS, ISO-8859-1, UTF-16, and more
- Line endings: Preserves
\r\n/\nas-is
Quick Start
- Download the binary for your OS from Releases
- Run
agent-tool install(oragent-tool install claudefor a specific agent) - Restart your IDE / agent
- Done — all tools are available immediately with no permission popups
Or just ask your AI agent to do it for you:
"Download agent-tool from https://github.com/knewstimek/agent-tool/releases/latest and run
agent-tool install"
Any capable AI coding agent (Claude Code, Codex, etc.) can handle the full download → install → restart flow automatically.
Recommended: Add to your CLAUDE.md / AGENTS.md
After installing, agents will have access to agent-tool but may still default to built-in tools (Read, Edit, etc.). To ensure agents prefer agent-tool's encoding-aware, indentation-smart tools, add one of the following to your project's CLAUDE.md or AGENTS.md:
Strict mode (recommended for projects with non-UTF-8 files or mixed indentation):
ALWAYS use agent-tool MCP tools (mcp__agent-tool__*) instead of built-in file tools. agent-tool preserves file encoding and respects .editorconfig indentation settings.
Soft mode (gentle nudge for general projects):
Prefer agent-tool MCP tools (mcp__agent-tool__*) over built-in file tools when available.
Installation
Auto-install (recommended)
# Register with all detected agents (full auto-approve — all tools)
agent-tool install
# Safe mode — only auto-approve local file tools (no SSH, HTTP, DB, shell)
agent-tool install --safe-approve
# No auto-approve — manual approval required for every tool call
agent-tool install --no-auto-approve
# Register with a specific agent
agent-tool install claude
agent-tool install claude --safe-approve
# Uninstall (removes agent-tool entry only, preserves other settings)
agent-tool uninstall # from all agents
agent-tool uninstall claude # from specific agent
Install permission levels:
| Level | Flag | Auto-approved tools |
|---|---|---|
| Full (default) | (none) | All tools (mcp__agent-tool__* wildcard) |
| Safe | --safe-approve | 29 local-only tools (read, edit, write, grep, glob, etc.) — no SSH, HTTP, DB, bash, process control |
| None | --no-auto-approve | No tools — every call requires manual approval |
Manual setup
Claude Code / Cursor / Cline (settings.json or mcp.json):
{
"mcpServers": {
"agent-tool": {
"command": "/path/to/agent-tool"
}
}
}
Codex CLI (~/.codex/config.toml):
[mcp_servers.agent-tool]
command = "/path/to/agent-tool"
Options
# Set fallback encoding for projects with non-UTF-8 files
agent-tool --fallback-encoding EUC-KR
Environment Variable
Set AGENT_TOOL_FALLBACK_ENCODING to avoid repeating the CLI flag every session:
# Windows (no admin required)
setx AGENT_TOOL_FALLBACK_ENCODING EUC-KR
# Linux / macOS (add to ~/.bashrc or ~/.zshrc)
export AGENT_TOOL_FALLBACK_ENCODING=EUC-KR
Priority: CLI flag > environment variable > default (UTF-8).
Runtime Configuration
Agents can change settings at runtime via set_config without restarting:
| Parameter | Description | Default |
|---|---|---|
fallback_encoding | Fallback encoding when auto-detection fails | UTF-8 |
encoding_warnings | Show encoding detection warnings | true |
max_file_size_mb | Max file size for read/edit/grep (MB) | 50 |
allow_symlinks | Allow symlink extraction from tar archives | false |
workspace | Default workspace/project root for tools like glob when no explicit path is given | (cwd) |
allow_http_private | Allow webfetch/download/httpreq to access private IPs | false |
allow_mysql_private | Allow mysql tool to access private IPs | true |
allow_redis_private | Allow redis tool to access private IPs | true |
allow_ssh_private | Allow ssh/sftp tools to access private IPs | true |
enable_doh | Enable DNS over HTTPS globally (webfetch/download/httpreq/dnslookup) | true |
enable_ech | Enable Encrypted Client Hello globally (webfetch/download/httpreq) | true |
Build
go build -o agent-tool .
Cross-compile:
GOOS=linux GOARCH=amd64 go build -o agent-tool .
GOOS=darwin GOARCH=arm64 go build -o agent-tool .
GOOS=windows GOARCH=amd64 go build -o agent-tool.exe .
Troubleshooting
Garbled text (encoding issues)
If Korean, Japanese, or other non-ASCII text appears as garbage characters:
Option 1: Add charset to your .editorconfig:
[*]
charset = euc-kr
Option 2: Set environment variable (persistent):
setx AGENT_TOOL_FALLBACK_ENCODING EUC-KR # Windows
export AGENT_TOOL_FALLBACK_ENCODING=EUC-KR # Linux
Option 3: CLI flag (per-session):
agent-tool --fallback-encoding EUC-KR
Built-in help for agents
agent-tool includes a agent_tool_help tool that agents can call for usage guidance. When an agent encounters encoding warnings or garbled text, it can call:
{ "tool": "agent_tool_help", "arguments": { "topic": "encoding" } }
Available topics: overview, encoding, indentation, tools, troubleshooting
Security
agent-tool provides powerful system access (SSH, MySQL, Redis, file operations, HTTP requests). When used with AI coding agents, be aware of prompt injection risks:
- SSRF Protection: Cloud metadata IPs (169.254.x.x, fe80::/10) are always blocked regardless of settings. Private IP access is configurable per protocol via
set_config(allow_http_private,allow_mysql_private,allow_redis_private,allow_ssh_private) - DLP (Data Loss Prevention): All outbound HTTP request bodies are scanned for sensitive data patterns (PEM private keys, AWS access keys, GitHub/GitLab tokens, Slack tokens, .env file dumps) and blocked before transmission
- Prompt Injection Warnings: Every private IP connection shows a security warning visible to both the user and the AI agent, helping detect prompt injection attacks from fetched web content
- Zip Slip protection: Archive entries with
../path traversal are blocked (both zip and tar) - Zip Bomb protection: Single file limit (1GB), total extraction limit (5GB)
- Symlinks: Skipped by default. Enable via
set_config allow_symlinks=true(tar only; zip symlinks always skipped). Even when enabled, symlinks targeting outside the output directory are blocked - File size limit: Configurable max file size (default 50MB) prevents OOM on large files. Adjustable via
set_config max_file_size_mb=N - Encoding safety: chardet uses 64KB sample (not full file) for memory efficiency
For maximum security, review the AI agent's tool calls before approving, especially for SSH commands, HTTP requests to external URLs, and database queries.
Tech Stack
- Language: Go
- MCP SDK: github.com/modelcontextprotocol/go-sdk
- Encoding: saintfish/chardet + golang.org/x/text
- Distribution: Single binary (cross-compiled)