ZeroTrace Companion
MCP Server — exposing AirLeak as MCP
Companion can publish your live AirLeak data as an MCP server. Connect from Claude Desktop, Cursor, the claude CLI, or any custom agent.
Companion implements both halves of the Model Context Protocol. The MCP client page covers connecting external MCP servers into Companion. This page covers the other direction — Companion runs its own MCP server that exposes 16 AirLeak tools to any MCP-aware agent.
Why expose AirLeak as MCP
Local LLMs are private but bounded by your hardware. The most capable models live in the cloud. Companion's MCP server lets you keep the capture on your local hardware while connecting a more capable cloud agent (Claude Desktop, Cursor, the claude CLI, custom code) to read the live data.
Use cases:
- Use Claude Desktop with your live AirLeak data. Ask Claude Desktop "what devices are around me right now?" and it queries your AirLeak via MCP.
- Use the
claudeCLI in your terminal for scripted analysis of AirLeak captures. - Build a custom agent that uses your AirLeak as one of many data sources.
- Share your AirLeak data with a teammate's agent (with appropriate auth) for collaborative analysis.
Enabling the server
Settings → AI → AirLeak MCP Server → Enable.
Companion starts the MCP server on a local port (default :8765) at the path /mcp. The server is bound to localhost only by default; to expose on the network, see "Network exposure" below.
Status shows:
- Running — yes / no.
- Address — the URL other agents connect to (e.g.
http://localhost:8765/mcp). - Snapshot age — how fresh the underlying capture data is (in milliseconds).
What gets exposed
The MCP server publishes 16 tools, organised into 5 categories:
Discovery / status (4 tools)
| Tool | What it does |
|---|---|
get_status | Whether the AirLeak hardware is connected and which capture mode it's in |
get_session_stats | Top-line counts for the active session — total devices, by class, alerts, events |
get_heartbeat | Latest firmware heartbeat — heap, BLE radio settings, throttle counters, channel info |
snapshot_age | Diagnostic: how stale is the current capture snapshot in milliseconds |
Devices (6 tools)
| Tool | What it does |
|---|---|
list_devices | Aggregated devices from the active session. Filter by class / vendor; sort by RSSI / observation count / first / last seen / score; limit. |
lookup_device | One device by MAC. Returns class, vendor, RSSI, observations, first / last seen, BLE name, Apple model, AirTag ID. |
search_devices | Fuzzy search across MAC, vendor, BLE name, Apple model, and probed SSIDs |
find_apple_devices | Filter to Apple devices, optionally by kind: iphone, ipad, watch, airpods, mac, airtag, hometv, homepod |
list_wifi_networks | All Wi-Fi SSIDs observed in the session |
get_device_history | Per-device observation timeline within the session |
Tracking / safety (3 tools)
| Tool | What it does |
|---|---|
analyze_tracking | Detect approaching, persistent, or following devices |
find_persistent_devices | Devices observed across long stretches of the session |
find_unsafe_wifi | Open / WEP / vulnerable Wi-Fi APs in the airspace |
Alerts (2 tools)
| Tool | What it does |
|---|---|
list_alerts | All alerts that fired during the active session |
get_alert_summary | Counts by severity, top firing rules, etc. |
Library (1 tool)
| Tool | What it does |
|---|---|
search_library | Cross-session library search — find devices that appeared in past sessions |
Connecting Claude Desktop
Claude Desktop is the easiest external client to set up.
In Claude Desktop's MCP configuration (Claude → Settings → Developer → Edit Config), add:
{
"mcpServers": {
"zerotrace-airleak": {
"url": "http://localhost:8765/mcp"
}
}
}
Restart Claude Desktop. The 16 tools appear in Claude's tool catalog. Now you can ask Claude:
"What Wi-Fi devices are around me right now?"
…and Claude calls Companion's MCP server in the background to find out.
Connecting Cursor
Cursor's MCP integration uses the same standard. In Cursor's MCP config (Cursor → Settings → MCP), add:
{
"mcpServers": {
"zerotrace-airleak": {
"url": "http://localhost:8765/mcp"
}
}
}
Reload Cursor. The tools become available in Cursor's agent.
Connecting the claude CLI
The Anthropic claude CLI uses the same MCP standard. In your project (or globally):
claude mcp add zerotrace-airleak http://localhost:8765/mcp
Then in any claude session, the AirLeak tools are available alongside your other configured MCP servers.
Connecting a custom agent
The MCP HTTP transport speaks the standard MCP JSON-RPC protocol over HTTP. Any client that speaks MCP can connect — open-source SDKs are available in Python, TypeScript, Go, Rust, and others.
Connect to http://localhost:8765/mcp (or wherever you've configured Companion's MCP server). The handshake is the standard MCP initialize flow. After initialisation, tools/list returns the 16 tools and tools/call invokes them.
Discovery file
When the MCP server starts, Companion writes a discovery file at:
| Platform | Path |
|---|---|
| Windows | %APPDATA%\zerotrace-desktop\airleak-mcp.json |
| macOS | ~/Library/Application Support/zerotrace-desktop/airleak-mcp.json |
| Linux | ~/.config/zerotrace-desktop/airleak-mcp.json |
The file contains the URL, address, PID, and version of the running server. Programmatic clients can read this to discover the running server without configuration.
Network exposure
By default the MCP server binds to localhost only — agents on the same machine can connect, agents on the network cannot. To expose on a network interface (advanced), change the listen address in settings.
Exposing the MCP server on the network gives anyone who can reach the port read access to your AirLeak data. Do this only on trusted networks, ideally with an HTTP authentication layer in front.
Snapshot freshness
The MCP server reads from a snapshot of the AirLeak's live state, refreshed several times per second. The snapshot_age tool reports how stale the current snapshot is in milliseconds.
For most queries, milliseconds-old data is fine. For tracking active movement, sub-second freshness matters; if snapshot_age returns more than a few hundred ms consistently, the AirLeak hardware may be disconnected or struggling.
Disabling the server
Toggle off in settings. The server stops; the discovery file is removed; existing client connections drop.
For sensitive captures where you want zero external exposure, simply leave the MCP server disabled. The internal AI assistant still has access to the full AirLeak workspace via Companion's built-in tools.
What this enables
The combination of Companion's MCP server + a capable cloud agent (like Claude Desktop) is genuinely powerful. You get:
- Local capture — your AirLeak hardware on your machine, your data on your disk.
- Cloud reasoning — top-tier model quality from the cloud agent.
- Bidirectional MCP — the cloud agent can also call its own external tools to enrich your AirLeak data with web lookups, file operations, etc.
Pattern example: ask Claude Desktop:
"Look at my AirLeak data. Find any devices that have probed for SSIDs matching common corporate networks. Use a public OUI database to look up the vendor for each. Save the results as a Markdown file."
Claude Desktop:
- Calls
search_deviceson Companion's MCP server (gets the device list). - Calls a web-fetch MCP server (looks up OUIs).
- Calls a filesystem MCP server (writes the Markdown).
Three MCP servers, one query. Companion is one of them.
Privacy posture
The MCP server makes Companion's AirLeak data available to whatever agent connects. Implications:
- Local connections (Claude Desktop running on the same machine) — data stays on your machine in transit; the cloud LLM provider (Anthropic, OpenAI) sees what your agent sends them.
- Network connections — data crosses the network in cleartext unless you've added TLS.
- Discovery file — readable by any process on your machine.
Treat the MCP server's reach as "anyone with access to your machine's network or file system has access to your AirLeak data." For sensitive captures, leave it disabled.