THE TOOLKIT — RUN THE PRACTICE FROM CLAUDE DESKTOP

Three servers that turn Claude into your municipal-cyber analyst.

The Fit For Gov toolkit is three open MCP servers — a breach feed, a WordPress detector, and a municipal targeter. Install them once. Ask Claude to assemble a target list, scan it, draft a brief, and cite every claim. Public sources only. No telemetry. Yours to run on your own machine.

Free. No account. Same machinery as /recon and /threat-wire, addressable by an agent.

§ I — TOOLS01 / 08

Three servers. Fourteen tools. One pipeline.

Each server is small and focused on a single job. The combined surface is a complete municipal-cyber sales loop — build a list, scan it, generate the dossier with citations.

I · BREACH FEED

municipal-breach-feed

Six tools, one local SQLite cache. Curated municipal-cyber incidents (Hamilton, the April 2026 WordPress supply-chain backdoor, every CCCS advisory), live WordPress CVEs from WPScan, the CISA Known-Exploited list, and aggregated municipal-cyber news. Every record is citation-ready — source URL, retrieval timestamp, verbatim source date — so no claim is undefendable in front of a CAO.

II · DETECTOR

wordpress-detector

Three tools. Fingerprint any public website for WordPress, plugin and theme inventory, TLS posture, and known-CVE exposure. Returns a 0–100 risk score, conservative by design. Identical surface to /recon — passive only, no fuzzing, no admin paths, nothing a logged-out browser cannot already see.

III · TARGETER

municipal-target

Five tools wrapping Open North Represent. Build sorted prospect lists for any province, look up the mayor and council by name, resolve elected officials by postcode. The Canadian municipal directory, addressable by Claude in one prompt.

§ II — DOWNLOADS02 / 08

Two zips. Three servers.

Each archive is a standalone Python program — no compilation, no installer, no service to register. Place each unzipped folder where you keep your tools, install the dependencies once, point Claude Desktop at the file. The Setup below walks every step.

THE BREACH FEED

govtechmcp-v1.zip

municipal-breach-feed — six tools. WPScan, CISA KEV, CCCS, curated breach corpus, news aggregator.

Download · 20KB ↓DETECTOR + TARGETER

inboundfit-v1.zip

wordpress-detector + municipal-target — eight tools. The site scanner and the Open North Represent wrapper, in one archive.

Download · 36KB ↓

Versioned by filename. When the underlying servers change the version number will increment. Re-download to refresh.

§ III — WHAT TO ASK CLAUDE03 / 08

What you can do once it is installed.

Three prompts in increasing scope. Paste any one of them into a Claude Desktop chat after setup; the agent picks the right tools, chains them, and returns structured output.

PROOF — single tool, single answer

“Pull the Hamilton ransomware case from the breach corpus and tell me the financial impact and insurance outcome.”

Claude calls fetch_recent_breaches and replies with the $18.3M financial impact and the denied insurance claim. Citation included. The shortest possible verification that the breach feed is wired up.

THE THREE-WAY COMBO

“Build a target list of British Columbia municipalities with population between 20,000 and 100,000, scan every site, sort by risk, and generate a council brief for the top three.”

Targeter builds the list. Detector scans 15 sites in parallel. Breach feed supplies the citations. Three minutes from one paragraph to three CAO-ready briefs.

THE PRE-MEETING BRIEF

“I have a meeting with the City of Saanich CAO on Thursday. Confirm the council, scan the website with full plugin and CVE checks, generate a pitch dossier, and pull the most relevant BC municipal incident from the last twenty-four months as the peer-anchor.”

A workflow you can save as a Claude Project. Every meeting becomes a structured brief: dossier, three talking points, mayor contact, peer incident. Calibrated to the practice — sober, cited, never alarmist.

§ IV — SETUP04 / 08

Eight steps. Thirty minutes.

What you need: a computer running macOS, Windows, or Linux; the Claude Desktop application (free at claude.ai/download); and the two zips above. Every step has a What should happen line so you can verify you are on track without waiting on support.

STEP 01

Install Python

The servers run on Python 3.10 or newer. Most computers already have a version that qualifies.

Open a terminal:

macOS: ⌘ + Space, type “Terminal”, press Enter.
Windows: Windows + R, type cmd, press Enter.
Linux: use your terminal of choice.

Run:

python3 --version

WHAT SHOULD HAPPEN

You see a version like Python 3.11.6. If 3.10 or higher, skip to Step 2. If lower, or the command is not found: install the latest Python from python.org/downloads. Windows users must check “Add Python to PATH” during install.

STEP 02

Place the unzipped folders

Unzip both archives somewhere they will not be deleted. A clean location:

macOS: /Users/yourname/mcp-servers/
Windows: C:\Users\yourname\mcp-servers\
Linux: /home/yourname/mcp-servers/

After placement, the path to each server’s entry file should look like:

/Users/yourname/mcp-servers/municipal_breach_feed_mcp/municipal_breach_feed_mcp.py
/Users/yourname/mcp-servers/wordpress_detector_mcp/wordpress_detector_mcp.py
/Users/yourname/mcp-servers/municipal_target_mcp/municipal_target_mcp.py

WHAT SHOULD HAPPEN

Three full paths, one per server. Copy them somewhere — you will paste them in Step 5.

STEP 03

Install dependencies

One command installs every Python package the three servers need:

pip3 install mcp pydantic httpx feedparser

WHAT SHOULD HAPPEN

Lines that begin Collecting and end Successfully installed followed by a list of versions.

If the command returns “permission denied,” add --user:

pip3 install --user mcp pydantic httpx feedparser

If pip3 is not recognised on Windows:

python -m pip install mcp pydantic httpx feedparser

STEP 04

Get a free WPScan token (optional)

WPScan is the WordPress vulnerability database. The detector still scores risk without a token; with one, it returns plugin-level CVE detail.

Free at wpscan.com/profile. Sign up, confirm the email, copy the token from your profile page. The free tier is twenty-five requests per day — sufficient for demonstrations and small target lists.

WHAT SHOULD HAPPEN

A token string copied somewhere you can find again. The token never leaves your machine; it is pasted into a local config in the next step.

STEP 05

Connect the servers to Claude Desktop

Claude Desktop reads its tool list from a single configuration file. Open it the fast way:

Open Claude Desktop.
Settings → Developer → Edit Config.
The file opens in your default editor.

If the “Developer” section is hidden, your Claude Desktop build is older than required — update from claude.ai/download.

Replace the file contents with this configuration:

{
  "mcpServers": {
    "municipal-breach-feed": {
      "command": "python3",
      "args": [
        "/REPLACE/WITH/YOUR/PATH/municipal_breach_feed_mcp/municipal_breach_feed_mcp.py"
      ],
      "env": {
        "WPSCAN_API_TOKEN": "REPLACE_WITH_YOUR_WPSCAN_TOKEN"
      }
    },
    "wordpress-detector": {
      "command": "python3",
      "args": [
        "/REPLACE/WITH/YOUR/PATH/wordpress_detector_mcp/wordpress_detector_mcp.py"
      ],
      "env": {
        "WPSCAN_API_TOKEN": "REPLACE_WITH_YOUR_WPSCAN_TOKEN"
      }
    },
    "municipal-target": {
      "command": "python3",
      "args": [
        "/REPLACE/WITH/YOUR/PATH/municipal_target_mcp/municipal_target_mcp.py"
      ]
    }
  }
}

Replace every /REPLACE/WITH/YOUR/PATH/ with the actual folder paths from Step 2. Replace each REPLACE_WITH_YOUR_WPSCAN_TOKEN with your WPScan token, or delete the entire env block if you skipped Step 4.

On Windows, JSON requires backslashes to be doubled. Forward slashes also work and are simpler:

"args": ["C:/Users/yourname/mcp-servers/municipal_breach_feed_mcp/municipal_breach_feed_mcp.py"]

WHAT SHOULD HAPPEN

File saved. Quit Claude Desktop entirely and reopen it. Within ten seconds you should see the tools indicator in the chat input area; clicking it lists the three servers and their tools.

STEP 06

Verify the install

Open a new chat and paste this prompt:

Pull the Hamilton ransomware case from the breach corpus and tell me the financial impact and insurance outcome.

WHAT SHOULD HAPPEN

Claude calls fetch_recent_breaches or search_breaches and returns a sentence naming the CAD $18.3M financial impact and the denied insurance claim. If you see this, all three servers are wired up correctly.

If the response says the tool is not available, return to Step 5 and check every path in the config. The fastest test is ls /your/path/file.pyin a terminal — “No such file or directory” identifies the broken line.

STEP 07

Run the first real workflow

Open a fresh chat and paste:

I want to pitch BC municipalities on Fit For Gov. Build me a list of fifteen BC municipalities with population between 20,000 and 100,000 — large enough to have budget, small enough that we are a fit. Scan every website. Sort by risk. For the top three, generate a sales dossier I can attach to a cold email to the CAO.

WHAT SHOULD HAPPEN

Claude calls build_target_list, then batch_scan_sites, sorts by risk, picks the top three, calls generate_pitch_dossier three times. Output: three Markdown briefs ready to attach to outreach. Roughly ninety seconds end to end.

STEP 08

Save your workflows as Claude Projects

The most-used prompts belong in Claude Projects so the loop is one click and one paragraph from a complete pitch. Two starters the practice uses every week:

PROSPECT-BY-PROVINCE
You are my municipal sales analyst. When I name a Canadian province, you:
1. Build a target list of municipalities in that province with population between 10,000 and 200,000.
2. Scan every website with batch_scan_sites.
3. Return a Markdown table sorted by risk score with columns: municipality, population, risk band, top finding, mayor's email if known.
Cite every breach reference with the source_url field. End with: "Want me to draft outreach for the top three?"

CAO-MEETING-PREP
You are my pre-meeting analyst. When I give you a municipality name or URL, you:
1. Run get_municipality to confirm the city and pull the mayor's contact.
2. Run scan_site with deep_plugin_scan and check_cves enabled.
3. Run generate_pitch_dossier.
4. Cross-reference the findings against fetch_recent_breaches for the same province in the last twenty-four months — find the most relevant incident as the peer-anchor.
Output: a one-page brief with the dossier, a three-bullet talking-points sheet, and the mayor's email and phone.
Tone: serious, factual, never alarmist.

§ V — TOOL REFERENCE05 / 08

Every tool, in plain English.

You do not have to memorise tool names. Claude picks the right one from intent. The reference below pairs each tool with a sample sentence that triggers it.

From municipal-breach-feed

ToolHow you ask

fetch_recent_breaches

“Show me Canadian municipal cyber breaches from the last 24 months.”

fetch_wordpress_cves

“What WordPress core vulnerabilities have been published in the last 90 days?”

fetch_canadian_cyber_alerts

“What is the Canadian Centre for Cyber Security warning about this week?”

fetch_us_kev

“What CMS-related vulnerabilities are on the CISA Known-Exploited list?”

search_breaches

“Find any breach in the corpus involving WordPress supply chain.”

fetch_municipal_news

“What is in the news this month about municipal ransomware?”

From wordpress-detector

ToolHow you ask

scan_site

“Scan https://www.cityofX.ca for WordPress and CVE exposure.”

batch_scan_sites

“Scan all of these URLs and rank them by risk.”

generate_pitch_dossier

“Generate a sales dossier for the City of X based on the scan.”

From municipal-target

ToolHow you ask

list_municipalities

“List Canadian municipalities — show me the ones with "regional" in the name.”

get_municipality

“Tell me about the City of Saanich — website, mayor, council size.”

get_council

“Get me the full Victoria council with email and phone for everyone.”

find_by_postal_code

“Who represents postal code V9A 5J1?”

build_target_list

“Build a BC sales target list for cities of 20,000–100,000.”

§ VI — TROUBLESHOOTING06 / 08

What goes wrong, and what to do.

Six known failure modes. The fix for each is short. If the symptom you see is not on this list, the practice answers the phone.

No tools indicator appears in Claude Desktop.

The servers did not start. Quit Claude entirely, reopen it, wait fifteen seconds. If still nothing, run python3 with the breach-feed path directly in a terminal — the process should hang silently waiting for input. An ImportError means dependencies are missing; a SyntaxError means Python is below 3.10.

"Tool not available" in a chat.

A path in claude_desktop_config.json is wrong. Open the config and verify each args path exists with ls. The fastest test is to copy a path from the config and ls it; "No such file or directory" tells you which one to fix.

WPScan returns rate-limit errors.

You exceeded the free tier of twenty-five requests per day. Wait until tomorrow or upgrade to WPScan Enterprise. Detector still scores risk without WPScan; you only lose per-plugin CVE detail.

BleepingComputer feed returns 403.

Expected. The error is logged in the response payload under cache.fetch_errors. The other three news sources — StateScoop, The Record, Government Technology — carry the load. No tool fails.

find_by_postal_code returns no representatives.

Some Canadian postal codes — especially rural ones — are not in the Represent index. Try a nearby postal code from a town known to be well-represented.

Wikipedia population returns null.

Best-effort and dependent on Wikipedia article phrasing. Not load-bearing — the rest of the workflow runs without population data.

NEXT STEP

Municipal technology, principal-led.

The toolkit is the gift. The conversation is the work. If a scan surfaces something that warrants a fifteen-minute call, the principal answers the phone.

+1 250 415 5678·jesse@fitforgov.com

Reconnaissance →The Threat Wire →The Switch →The Library →← Return to Fit For Gov