
How to add GhidraMCP to Windsurf
Lets LLMs reverse engineer binaries in Ghidra: decompile functions, rename symbols, trace imports, exports and xrefs. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.
Last updated June 14, 2026 · 9.4k★ · stdio · no auth
Windsurf config for GhidraMCP
python bridge_mcp_ghidra.py --ghidra-server http://127.0.0.1:8080/{
"mcpServers": {
"ghidramcp": {
"command": "python",
"args": [
"/ABSOLUTE_PATH_TO/bridge_mcp_ghidra.py",
"--ghidra-server",
"http://127.0.0.1:8080/"
]
}
}
}Setup steps
- 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
- 2Paste the GhidraMCP config below.
- 3Fill in placeholder secrets, then save.
- 4Click Refresh in the MCP panel.
- 5GhidraMCP's tools become available to Cascade.
Before you start
- Ghidra installed (ghidra-sre.org)
- Python 3 with the MCP Python SDK installed
- GhidraMCP release zip matching your Ghidra version
What GhidraMCP can do in Windsurf
list_methodsList all function names in the program, paginated
list_classesList all namespace/class names, paginated
decompile_functionDecompile a function by name and return the C-like source
decompile_function_by_addressDecompile the function at a given address
disassemble_functionGet assembly listing for the function at an address
rename_functionRename a function by its current name
rename_function_by_addressRename the function at a given address
rename_dataRename a data label at an address
Security
The Ghidra plugin opens an unauthenticated HTTP server (default 127.0.0.1:8080) — any local process can drive your Ghidra session, so keep it bound to localhost. Analysis itself stays on your machine, but decompiled code goes to your model provider whenever the agent reads it, which matters for proprietary or sensitive binaries.
GhidraMCP + Windsurf FAQ
Where is the Windsurf config file?
Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the GhidraMCP config there under the "mcpServers" key and restart the client.
Is GhidraMCP safe to use with Windsurf?
The Ghidra plugin opens an unauthenticated HTTP server (default 127.0.0.1:8080) — any local process can drive your Ghidra session, so keep it bound to localhost. Analysis itself stays on your machine, but decompiled code goes to your model provider whenever the agent reads it, which matters for proprietary or sensitive binaries.
Is GhidraMCP an official NSA/Ghidra project?
No — it's a community project by researcher LaurieWired. Ghidra itself is the NSA's open-source reverse-engineering suite; GhidraMCP is a third-party plugin plus bridge that exposes it over MCP. Both are Apache-2.0.
Is it safe to use on sensitive binaries?
Everything runs locally, but two caveats: the plugin's HTTP server has no auth (keep it on 127.0.0.1), and any decompiled code the agent reads is sent to your model provider. For classified or NDA-bound binaries, that second point is usually the blocker.
Do I need to keep Ghidra open while using it?
Yes. The server runs inside Ghidra with your project loaded — the Python bridge only proxies MCP calls to that live session. Close Ghidra and the tools stop responding.