{"id":51301533,"url":"https://github.com/badchars/steganography-mcp","last_synced_at":"2026-06-30T20:02:19.356Z","repository":{"id":368325198,"uuid":"1284448192","full_name":"badchars/steganography-mcp","owner":"badchars","description":"128-tool MCP server for steganography analysis — LSB detection, chi-square steganalysis, RS analysis, JPEG/F5/JSteg/OutGuess detection, BPCS, video \u0026 GIF stego, network covert channels, MP3 stego, spread spectrum, archive stego, QR code analysis, audio stego, text encoding, file forensics. 100% offline, zero API keys.","archived":false,"fork":false,"pushed_at":"2026-06-30T03:29:30.000Z","size":787,"stargazers_count":1,"open_issues_count":5,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-30T05:12:17.981Z","etag":null,"topics":["ai","bpcs","claude","cli","ctf","digital-forensics","forensics","image-analysis","lsb","mcp","model-context-protocol","mp3-steganography","network-steganography","qr-code","security","spread-spectrum","steganalysis","steganography","typescript","video-steganography"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/steganography-mcp","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/badchars.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"buy_me_a_coffee":"orhanyildirim","github":"badchars"}},"created_at":"2026-06-29T21:52:20.000Z","updated_at":"2026-06-30T03:49:16.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/badchars/steganography-mcp","commit_stats":null,"previous_names":["badchars/steganography-mcp"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/badchars/steganography-mcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/badchars%2Fsteganography-mcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/badchars%2Fsteganography-mcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/badchars%2Fsteganography-mcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/badchars%2Fsteganography-mcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/badchars","download_url":"https://codeload.github.com/badchars/steganography-mcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/badchars%2Fsteganography-mcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34981391,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-30T02:00:05.919Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","bpcs","claude","cli","ctf","digital-forensics","forensics","image-analysis","lsb","mcp","model-context-protocol","mp3-steganography","network-steganography","qr-code","security","spread-spectrum","steganalysis","steganography","typescript","video-steganography"],"created_at":"2026-06-30T20:02:15.208Z","updated_at":"2026-06-30T20:02:19.345Z","avatar_url":"https://github.com/badchars.png","language":"TypeScript","funding_links":["https://buymeacoffee.com/orhanyildirim","https://github.com/sponsors/badchars"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eEnglish\u003c/strong\u003e |\n  \u003ca href=\"docs/readme/README.zh.md\"\u003e中文\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.zh-TW.md\"\u003e繁體中文\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.ko.md\"\u003e한국어\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.ja.md\"\u003e日本語\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.de.md\"\u003eDeutsch\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.es.md\"\u003eEspañol\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.fr.md\"\u003eFrançais\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.it.md\"\u003eItaliano\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.da.md\"\u003eDansk\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.no.md\"\u003eNorsk\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.pl.md\"\u003ePolski\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.ru.md\"\u003eРусский\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.bs.md\"\u003eBosanski\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.uk.md\"\u003eУкраїнська\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.pt-BR.md\"\u003ePortuguês (BR)\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.ar.md\"\u003eالعربية\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.th.md\"\u003eไทย\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.tr.md\"\u003eTürkçe\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.bn.md\"\u003eবাংলা\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.hi.md\"\u003eहिन्दी\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.el.md\"\u003eΕλληνικά\u003c/a\u003e |\n  \u003ca href=\"docs/readme/README.vi.md\"\u003eTiếng Việt\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003cbr\u003e\n  \u003cpicture\u003e\n    \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"docs/banner-dark.svg\"\u003e\n    \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"docs/banner-light.svg\"\u003e\n    \u003cimg alt=\"steganography-mcp\" src=\"docs/banner-dark.svg\" width=\"830\"\u003e\n  \u003c/picture\u003e\n\u003c/div\u003e\n\n\u003ch3 align=\"center\"\u003eThe most comprehensive steganography analysis toolkit for AI agents.\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  LSB detection, chi-square steganalysis, RS analysis, DCT forensics, F5/JSteg/OutGuess detection, BPCS analysis, video \u0026amp; GIF steganography, network covert channels, MP3 stego, spread spectrum watermarks, archive stego, QR code analysis, audio steganography, zero-width text encoding, file forensics, polyglot detection, encoding identification \u0026mdash; unified into a single MCP server.\u003cbr\u003e\n  \u003cb\u003e128 tools. 17 categories. 4 dependencies. 100% offline.\u003c/b\u003e Zero API keys required. Every tool runs locally.\n\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#the-problem\"\u003eThe Problem\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#how-its-different\"\u003eHow It's Different\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#what-the-ai-can-do\"\u003eWhat The AI Can Do\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#tools-reference-128-tools\"\u003eTools (128)\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#cli-usage\"\u003eCLI Usage\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#architecture\"\u003eArchitecture\u003c/a\u003e \u0026bull;\n  \u003ca href=\"CONTRIBUTING.md\"\u003eContributing\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.npmjs.com/package/steganography-mcp\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/steganography-mcp.svg\" alt=\"npm version\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.com/package/steganography-mcp\"\u003e\u003cimg src=\"https://img.shields.io/npm/dm/steganography-mcp\" alt=\"npm downloads\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT-blue\" alt=\"License MIT\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/node-%3E%3D18-brightgreen\" alt=\"Node \u003e= 18\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/MCP-Compatible-blueviolet\" alt=\"MCP Compatible\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/tools-128-cyan\" alt=\"128 Tools\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/API_keys-Zero-green\" alt=\"Zero API Keys\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/TypeScript-strict-3178c6\" alt=\"TypeScript strict\"\u003e\n  \u003ca href=\"https://github.com/badchars/steganography-mcp\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/badchars/steganography-mcp\" alt=\"GitHub stars\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## The Problem\n\nSteganography is the art of hiding data in plain sight \u0026mdash; inside images, audio files, documents, and even Unicode text. It is used in CTF competitions, digital forensics investigations, covert communication channels, and malware payloads. Detecting it requires a combination of statistical analysis, format-specific parsing, entropy measurement, and domain expertise.\n\n```\nTraditional steganography analysis workflow:\n  detect image stego          -\u003e  zsteg + stegsolve (2 tools, Ruby + Java)\n  chi-square analysis         -\u003e  custom Python script\n  RS analysis                 -\u003e  custom MATLAB/Python code\n  JPEG DCT forensics          -\u003e  stegdetect (abandoned C tool from 2004)\n  extract LSB data            -\u003e  zsteg + steghide + openstego (3 tools)\n  audio steganography         -\u003e  Audacity manual + custom scripts\n  zero-width text detection   -\u003e  web-based tools + manual inspection\n  file forensics / binwalk    -\u003e  binwalk + foremost + xxd (3 tools)\n  EXIF metadata               -\u003e  exiftool (Perl dependency)\n  encoding detection          -\u003e  CyberChef web UI + manual guessing\n  ─────────────────────────────────\n  Total: 10+ tools, 5+ languages, hours of manual correlation\n```\n\n**steganography-mcp** gives your AI agent 128 tools across 17 categories via the [Model Context Protocol](https://modelcontextprotocol.io). The agent performs image steganalysis, advanced JPEG forensics (F5/JSteg/OutGuess/PVD detection), BPCS analysis, video \u0026amp; GIF steganography, network covert channel detection, MP3 stego, spread spectrum watermark detection, archive stego, QR code analysis, audio analysis, text steganography detection, file forensics, document analysis, and encoding identification \u0026mdash; all in a single conversation, all running 100% locally with zero dependencies on external services.\n\n```\nWith steganography-mcp:\n  You: \"Analyze this CTF challenge image for hidden data\"\n\n  Agent: -\u003e img_detect: Chi-square p=0.0001 (LSB embedding detected),\n            RS analysis estimates 42% embedding rate, entropy anomaly\n            in lower-right quadrant\n         -\u003e img_lsb_extract: Extracted 847 bytes from RGB LSBs\n         -\u003e crypto_detect: Extracted data is Base64-encoded\n         -\u003e crypto_decode: Decoded to \"FLAG{hidden_in_plain_sight_2024}\"\n         -\u003e img_known_tools: Signature match for OpenStego\n\n         \"The image contains LSB steganography embedded with OpenStego.\n          Chi-square test confirms LSB replacement in all three RGB\n          channels with 42% embedding rate. The hidden payload is\n          Base64-encoded and decodes to the flag:\n          FLAG{hidden_in_plain_sight_2024}\"\n```\n\n---\n\n## How It's Different\n\nMost steganography tools are single-purpose utilities. steganography-mcp gives your AI agent the ability to **reason across all steganography techniques simultaneously**.\n\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003e\u003c/th\u003e\n\u003cth\u003eTraditional Approach\u003c/th\u003e\n\u003cth\u003esteganography-mcp\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eInterface\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003e10+ CLI tools, 5+ languages, web UIs\u003c/td\u003e\n\u003ctd\u003eMCP \u0026mdash; AI agent calls tools conversationally\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eCoverage\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003eOne technique at a time\u003c/td\u003e\n\u003ctd\u003e17 categories, 128 tools in parallel\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eImage analysis\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003ezsteg (Ruby), stegsolve (Java), custom scripts\u003c/td\u003e\n\u003ctd\u003eAgent runs chi-square, RS analysis, SPA, entropy map, histogram, bit plane extraction, metadata, and tool signature detection \u0026mdash; all at once\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eJPEG forensics\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003estegdetect (abandoned), manual DCT inspection\u003c/td\u003e\n\u003ctd\u003eAgent analyzes DCT histogram, double compression, quantization tables, EXIF deep analysis, thumbnail comparison, comment fields\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eAudio stego\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003eAudacity + manual LSB scripts\u003c/td\u003e\n\u003ctd\u003eAgent performs LSB chi-square, spectrum analysis, silence region LSB check, echo hiding detection, metadata extraction\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eText stego\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003eWeb-based tools, manual inspection\u003c/td\u003e\n\u003ctd\u003eAgent detects zero-width chars, whitespace encoding, invisible Unicode, homoglyphs, acrostics \u0026mdash; and can embed/extract ZWC messages\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eDependencies\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003eRuby, Java, Perl, Python, C, web tools\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enpx -y steganography-mcp\u003c/code\u003e \u0026mdash; 4 dependencies, pure TypeScript\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eAPI keys\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003eN/A (but fragmented toolchain)\u003c/td\u003e\n\u003ctd\u003eZero. 100% offline, no external calls\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cb\u003eOutput\u003c/b\u003e\u003c/td\u003e\n\u003ctd\u003eRaw text, images, manual correlation\u003c/td\u003e\n\u003ctd\u003eStructured JSON \u0026mdash; AI correlates findings automatically\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\n---\n\n## Quick Start\n\n### Option 1: npx (no install)\n\n```bash\nnpx -y steganography-mcp\n```\n\nAll 128 tools work immediately. No API keys. No configuration. 100% offline.\n\n### Option 2: bunx (faster)\n\n```bash\nbunx steganography-mcp\n```\n\n### Option 3: Clone\n\n```bash\ngit clone https://github.com/badchars/steganography-mcp.git\ncd steganography-mcp\nbun install\n```\n\n### Connect to your AI agent\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u003cb\u003eClaude Code\u003c/b\u003e\u003c/summary\u003e\n\n```bash\n# With npx\nclaude mcp add steganography -- npx -y steganography-mcp\n\n# With local clone\nclaude mcp add steganography -- bun run /path/to/steganography-mcp/src/index.ts\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eClaude Desktop\u003c/b\u003e\u003c/summary\u003e\n\nAdd to `~/Library/Application Support/Claude/claude_desktop_config.json`:\n\n```json\n{\n  \"mcpServers\": {\n    \"steganography\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"steganography-mcp\"]\n    }\n  }\n}\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eCursor / Windsurf / other MCP clients\u003c/b\u003e\u003c/summary\u003e\n\nSame JSON config format. Point the command to `npx -y steganography-mcp` or your local installation path.\n\n\u003c/details\u003e\n\n### Start analyzing\n\n```\nYou: \"Check this image for hidden data\"\n```\n\nThat's it. The agent runs chi-square analysis, RS analysis, entropy mapping, metadata extraction, appended data detection, and tool signature scanning \u0026mdash; automatically.\n\n---\n\n## What The AI Can Do\n\n### CTF Challenge Solver\n\n```\nYou: \"Solve this CTF steganography challenge — the image is at challenge.png\"\n\nAgent: -\u003e img_detect: Chi-square steganalysis detects LSB embedding\n          (p=0.00012), RS analysis estimates 38% embedding rate,\n          entropy anomaly at blocks (12,4)-(15,8)\n       -\u003e img_lsb_extract: Extracted 1,247 bytes from RGB channel LSBs\n       -\u003e crypto_detect: Data matches Base64 pattern (confidence: 0.95)\n       -\u003e crypto_decode: \"Q1RGe3N0M2cwX21hc3Rlcn0=\" -\u003e \"CTF{st3g0_master}\"\n       -\u003e img_known_tools: OpenStego signature detected in PNG chunks\n\n       \"Found the flag: CTF{st3g0_master}\n        The image uses LSB steganography embedded by OpenStego.\n        The payload was Base64-encoded in the RGB least significant\n        bits with a 38% embedding rate.\"\n```\n\n### Digital Forensics Investigation\n\n```\nYou: \"Analyze suspect.png and suspect.wav for covert communication\"\n\nAgent: -\u003e img_detect: No LSB stego detected, but appended data found\n          (12,847 bytes after PNG IEND marker)\n       -\u003e file_identify: Appended data starts with ZIP signature (PK)\n       -\u003e img_metadata: PNG tEXt chunk contains unusual key \"comm\"\n          with Base64 value\n       -\u003e audio_detect: WAV file has LSB chi-square anomaly (p=0.003)\n       -\u003e audio_silence: 3 silent sections with active LSBs detected\n       -\u003e audio_lsb_extract: Extracted 2,048 bytes of hidden data\n\n       \"Both files contain hidden data:\n        1. suspect.png has a ZIP archive appended after the PNG EOF\n           marker, plus a Base64-encoded message in metadata\n        2. suspect.wav contains LSB steganography, specifically in\n           silent sections — a strong indicator of intentional hiding.\n        Recommend extracting the ZIP and analyzing WAV payload.\"\n```\n\n### Zero-Width Text Detection\n\n```\nYou: \"This email looks normal but might have hidden text\"\n\nAgent: -\u003e text_detect: 847 zero-width characters detected between\n          visible characters\n       -\u003e text_zwc_detect: ZWSP (342), ZWNJ (505) found at 127\n          positions throughout the text\n       -\u003e text_zwc_extract: Binary decoding yields \"EXFIL-ROUTE-7\"\n       -\u003e text_invisible_scan: 3 additional invisible Unicode chars\n          (U+2060, U+FEFF) found in header section\n\n       \"The email contains a hidden message encoded with zero-width\n        characters: 'EXFIL-ROUTE-7'. 847 invisible characters are\n        dispersed throughout the visible text using ZWSP/ZWNJ binary\n        encoding. Additionally, 3 Word Joiner and BOM characters\n        were found in the header — likely metadata artifacts.\"\n```\n\n### JPEG Forensic Analysis\n\n```\nYou: \"Is this JPEG image authentic or has it been tampered with?\"\n\nAgent: -\u003e jpeg_structure: 14 markers parsed, normal JFIF structure\n       -\u003e jpeg_double_compression: Double compression DETECTED —\n          blocking artifact score 0.73, quantization anomaly ratio 0.81\n       -\u003e jpeg_quantization: Quality ~75 (luminance), but residual\n          patterns suggest original was quality ~92\n       -\u003e jpeg_exif_deep: EXIF says \"iPhone 14 Pro\" but Software\n          field says \"Adobe Photoshop 25.0\"\n       -\u003e jpeg_thumbnail_compare: Thumbnail dimensions do NOT match\n          main image (thumbnail: 4032x3024, main: 2048x1536)\n\n       \"This JPEG has been tampered with. Evidence:\n        1. Double compression detected — the image was decoded and\n           re-encoded at lower quality (original ~92, current ~75)\n        2. EXIF claims iPhone 14 Pro but software field reveals\n           Photoshop editing\n        3. Thumbnail is from the original 4032x3024 capture but\n           the main image was resized to 2048x1536\n        All three findings independently confirm post-capture\n        modification.\"\n```\n\n---\n\n## Tools Reference (128 tools)\n\n### Category Overview\n\n| Category | Tools | Description |\n|----------|-------|-------------|\n| [Image Steganalysis](#-image-steganalysis-14) | 14 | LSB detection, chi-square, RS analysis, entropy mapping, bit planes, histogram, metadata, tool signatures |\n| [JPEG Analysis](#-jpeg-analysis-7) | 7 | DCT histogram, double compression, quantization tables, deep EXIF, thumbnail forensics, comment analysis |\n| [Advanced JPEG](#-advanced-jpeg-7) | 7 | F5, JSteg, OutGuess, PVD detection, sliding window chi-square, crop-recalibrate steganalysis, tool compatibility |\n| [Audio Steganalysis](#-audio-steganalysis-7) | 7 | WAV LSB detection, spectrum analysis, silence region analysis, echo hiding, metadata extraction |\n| [Text \u0026 Unicode](#-text--unicode-10) | 10 | Zero-width chars, whitespace encoding, invisible Unicode, homoglyphs, acrostics, Unicode analysis |\n| [File Forensics](#-file-forensics-10) | 10 | Magic bytes, polyglot detection, embedded files, appended data, entropy, hex dump, strings, headers |\n| [Document Analysis](#-document-analysis-5) | 5 | PDF hidden content, PDF metadata, PDF streams, HTML hidden content, XML metadata |\n| [Encoding \u0026 Crypto](#-encoding--crypto-7) | 7 | Encoding detection, multi-format decoder, frequency analysis, entropy, XOR brute-force, hash ID, cipher patterns |\n| [Video Steganography](#-video-steganography-8) | 8 | AVI frame LSB, inter-frame analysis, frame comparison, metadata, structure, EOF data |\n| [GIF Steganography](#-gif-steganography-8) | 8 | Palette LSB, LZW sub-block entropy, comment extensions, application extensions, frame analysis |\n| [Network Steganography](#-network-steganography-8) | 8 | PCAP covert channels, IP/TCP header analysis, ICMP payloads, DNS tunneling, HTTP headers, timing |\n| [MP3 Steganography](#-mp3-steganography-7) | 7 | ID3 hidden data, frame analysis, padding manipulation, sample analysis, metadata, structure |\n| [Spread Spectrum](#-spread-spectrum-5) | 5 | DFT magnitude spectrum, autocorrelation, watermark detection, noise floor analysis, patchwork detection |\n| [BPCS Analysis](#-bpcs-analysis-5) | 5 | Bit-plane complexity segmentation, complexity mapping, threshold analysis, data extraction, capacity estimation |\n| [Archive Steganography](#-archive-steganography-7) | 7 | ZIP slack spaces, extra fields, comments, polyglot detection, structure analysis, metadata |\n| [Create \u0026 Embed](#-create--embed-7) | 7 | EOF injection, metadata injection, whitespace encoding, null cipher, polyglot creation, comment injection, palette embedding |\n| [QR Code Steganography](#-qr-code-steganography-6) | 6 | QR stego detection, structure analysis, ECC capacity, module analysis, data extraction, comparison |\n\n---\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u003ch3\u003eImage Steganalysis (14)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `img_detect` | Auto-detect steganography in an image. Runs chi-square, RS analysis, entropy, metadata, appended data, and tool signature checks. Returns a comprehensive JSON report |\n| `img_lsb_detect` | Statistical LSB steganography detection. Runs chi-square and sample pair analysis on each color channel independently |\n| `img_lsb_extract` | Extract hidden data from image LSBs. Extracts bits from specified channels and bit plane, attempts UTF-8 decode, and shows hex dump |\n| `img_lsb_embed` | Embed a message into an image using LSB steganography. Reads a PNG file, embeds the message into the least significant bits, and writes a new PNG file |\n| `img_bitplane` | Extract and visualize a specific bit plane from an image channel. Shows dimensions, percentage of 1-bits, and an ASCII art preview |\n| `img_chi_square` | Chi-square steganalysis attack on each color channel independently. Detects LSB replacement by testing whether adjacent pixel value pairs are equalized |\n| `img_rs_analysis` | RS (Regular-Singular) steganalysis using the Fridrich-Goljan-Du method. Analyzes pixel groups to estimate LSB embedding rate per channel |\n| `img_histogram` | Generate a pixel value histogram with anomaly detection. Detects Pairs-of-Values (PoV) anomalies that indicate LSB steganography |\n| `img_entropy_map` | Per-block entropy analysis of an image. Splits the image into blocks and calculates Shannon entropy per block, flagging high-entropy regions |\n| `img_metadata` | Deep metadata extraction from an image. For PNG: text chunks, chunk list, IHDR info. For JPEG: EXIF, comments, quantization tables, marker list |\n| `img_appended_data` | Detect and extract data appended after the image EOF marker. Checks for hidden data past PNG IEND, JPEG EOI, or BMP file size boundary |\n| `img_compare` | Pixel-by-pixel comparison of two images. Reports identical/different pixel counts, max difference, and which channels are affected |\n| `img_channel_analysis` | Per-channel statistical analysis for R, G, B, and A channels. Reports mean, standard deviation, entropy, min, max, and unique value count |\n| `img_known_tools` | Scan image file bytes for known steganography tool signatures. Checks against a database of patterns from OpenStego, Steghide, JSteg, F5, and others |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eJPEG Analysis (7)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `jpeg_structure` | Parse JPEG markers/segments with offsets and sizes. Shows internal structure including all markers, positions, and segment lengths |\n| `jpeg_dct_histogram` | DCT coefficient distribution analysis for steganography detection. Analyzes Y-channel pixel value distribution and SOS entropy data to detect anomalies caused by JSteg, F5, and OutGuess |\n| `jpeg_double_compression` | Detect double JPEG compression artifacts. Identifies characteristic blocking artifacts and quantization table anomalies \u0026mdash; a common indicator of image tampering or stego embedding |\n| `jpeg_quantization` | Quantization table analysis with quality estimation. Displays all quantization tables in 8x8 grid format and estimates the JPEG quality factor |\n| `jpeg_exif_deep` | Deep EXIF analysis including GPS coordinates, timestamps, software info, thumbnails, maker notes, and all IFD entries. Flags forensically interesting fields |\n| `jpeg_thumbnail_compare` | Compare EXIF thumbnail against the main JPEG image. Dimension or content mismatch indicates post-capture modification \u0026mdash; a common forensic artifact |\n| `jpeg_comment` | Extract and analyze JPEG COM (comment) markers. Checks for hidden data patterns, unusually large comments, and high-entropy content |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eAudio Steganalysis (7)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `audio_detect` | Auto-detect audio steganography in a WAV file. Runs LSB chi-square, entropy analysis, metadata inspection, and checks for appended data |\n| `audio_lsb_detect` | PCM sample LSB statistical analysis. Performs chi-square test on LSBs grouped by value pairs to detect LSB replacement steganography |\n| `audio_lsb_extract` | Extract LSB data from audio samples. Reads the least significant bit of each PCM sample and attempts to decode hidden data |\n| `audio_spectrum` | Spectral analysis for hidden signals in WAV audio. Analyzes sample value distribution, zero-crossing rate, RMS energy per block, and detects anomalous quiet sections |\n| `audio_metadata` | Extract metadata from a WAV file including RIFF INFO chunks, format details, and all chunk information |\n| `audio_silence` | Analyze silent sections in WAV audio for hidden data. Finds near-zero sample regions and checks their LSBs \u0026mdash; silent sections with active LSBs are a strong stego indicator |\n| `audio_echo_detect` | Echo hiding detection via autocorrelation analysis. Computes normalized autocorrelation at common echo delays. Regular echo patterns indicate steganographic echo hiding |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eText \u0026 Unicode (10)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `text_detect` | Auto-detect text steganography. Checks for zero-width characters, whitespace encoding, invisible Unicode, homoglyphs, and unusual patterns |\n| `text_zwc_detect` | Detect zero-width characters (ZWSP, ZWNJ, ZWJ, BOM) in text. Reports positions, counts, and potential encoded message length |\n| `text_zwc_extract` | Decode a zero-width character encoded message. Extracts ZWC chars and decodes binary: ZWSP=0, ZWNJ=1 (attempts both polarities) |\n| `text_zwc_embed` | Embed a secret message into cover text using zero-width characters. Encodes message to binary and maps bits to ZWSP(0)/ZWNJ(1) |\n| `text_whitespace_detect` | Detect whitespace encoding in text. Checks each line for trailing whitespace patterns where space=0 and tab=1 might encode binary data |\n| `text_whitespace_extract` | Extract a whitespace-encoded message from text. Reads trailing whitespace from each line and decodes space=0/tab=1 binary encoding |\n| `text_invisible_scan` | Scan text for ALL invisible Unicode characters. Checks every character against the full invisible character database and reports positions and names |\n| `text_homoglyph` | Detect Unicode homoglyph substitutions in text. Identifies non-ASCII characters that visually resemble ASCII letters (Cyrillic a vs Latin a, etc.) |\n| `text_unicode_analysis` | Full Unicode character distribution analysis. Categorizes all characters by script block, performs entropy analysis, and detects suspicious script mixing |\n| `text_acrostic` | Detect first-letter, first-word, last-letter, last-word, or nth-character patterns (acrostic messages) hidden across lines of text |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eFile Forensics (10)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `file_identify` | File type identification via magic bytes. Reads the file header and matches against a comprehensive database of known file signatures. Checks for extension mismatch |\n| `file_polyglot` | Detect polyglot files valid as two or more formats simultaneously. Checks for multiple valid file signatures at different offsets (PDF+ZIP, PNG+PDF, etc.) |\n| `file_embedded` | Scan for embedded files within a binary, similar to binwalk. Searches for known magic byte signatures at every offset to discover hidden or appended files |\n| `file_appended` | Detect data appended after a file's format-specific EOF marker. Supports PNG (IEND), JPEG (FFD9), BMP, ZIP (EOCD), and PDF (%%EOF) |\n| `file_entropy` | Section-by-section entropy analysis. Calculates Shannon entropy per block and overall, flagging anomalous high-entropy sections |\n| `file_entropy_visual` | ASCII entropy visualization of a file. Renders a text-based bar chart showing entropy levels across the file for visual anomaly detection |\n| `file_strings` | Extract printable and Unicode strings from binary files. Scans for runs of printable characters and reports them with file offsets. Supports ASCII, UTF-8, UTF-16 |\n| `file_hex` | Hex dump with ASCII sidebar display. Traditional hex editor format with offset addresses, hex bytes, and printable ASCII representation |\n| `file_header` | Deep header and structure analysis for known formats. Parses PNG IHDR, JPEG SOF, BMP info header, ZIP local file headers, and PDF version/metadata |\n| `file_compare` | Binary diff between two files. Byte-by-byte comparison reporting differences with offsets, percentage identical, and LSB-only difference detection for stego analysis |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eDocument Analysis (5)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `doc_pdf_hidden` | Hidden PDF content detection. Scans for JavaScript, auto-actions, OpenAction, hidden annotations, invisible text, embedded files, and other covert content |\n| `doc_pdf_metadata` | PDF metadata extraction. Parses the /Info dictionary and XMP metadata blocks for forensic attribution and document provenance analysis |\n| `doc_pdf_streams` | PDF stream analysis. Locates all stream/endstream blocks, attempts zlib decompression, and reports sizes and entropy for finding hidden data |\n| `doc_html_hidden` | Hidden HTML content detection. Scans for comments, display:none elements, data-* attributes, hidden inputs, base64 content, zero-size elements, and invisible text |\n| `doc_xml_metadata` | XML and Office document metadata extraction. Parses Dublin Core, Microsoft Office properties, processing instructions, and other metadata fields |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eEncoding \u0026 Crypto (7)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `crypto_detect` | Auto-detect encoding type of an input string. Tests against all known patterns (Base64, hex, binary, morse, URL encoding, HTML entities, etc.) and returns matches sorted by confidence |\n| `crypto_decode` | Multi-format decoder supporting Base64, hex, binary, decimal, octal, URL encoding, ROT13, Base32, Morse code, and HTML entities. Auto mode detects encoding first |\n| `crypto_frequency` | Character frequency analysis for cryptanalysis. Counts character occurrences, compares to standard English frequency (ETAOINSHRDLU), and calculates Index of Coincidence |\n| `crypto_entropy` | Shannon entropy calculation and classification for strings. Computes character-level and byte-level entropy, classifying into categories from repeated data to encrypted/random |\n| `crypto_xor` | XOR key brute-force for single-byte and multi-byte keys. Tries all 256 single-byte keys and scores by English text probability. Uses IC for multi-byte key length estimation |\n| `crypto_hash_id` | Hash type identification. Matches input against known hash patterns by length and format (MD5, SHA-1, SHA-256, SHA-512, bcrypt, CRC32, NTLM, etc.) |\n| `crypto_patterns` | Known cipher and encoding pattern detection. Analyzes text for Caesar cipher, substitution cipher, Vigenere, rail fence transposition, Atbash, and reversed text |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eAdvanced JPEG (7)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `jpegadv_f5_detect` | F5 steganography detection. Analyzes DCT coefficient histogram for shrinkage at zero and asymmetric distribution around zero |\n| `jpegadv_jsteg_detect` | JSteg detection. Chi-square test on coefficient value pairs, zero AC coefficient preservation analysis |\n| `jpegadv_outguess_detect` | OutGuess detection. First-order histogram smoothness, second-order statistics, inter-block correlation analysis |\n| `jpegadv_pvd_detect` | Pixel Value Differencing detection. Horizontal/vertical difference histograms, staircase artifacts at PVD range boundaries |\n| `jpegadv_chi_sliding` | Sliding window chi-square analysis. Per-window p-values to detect embedding start/end points and estimate message length |\n| `jpegadv_calibration` | Crop-recalibrate steganalysis. Compares original vs cropped image statistics to reveal DCT modifications |\n| `jpegadv_compatibility` | JPEG stego tool compatibility check. Analyzes markers, quality, encoding type to determine which tools (JSteg, F5, OutGuess, steghide, JPHS) could have been used |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eVideo Steganography (8)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `video_detect` | Auto-detect steganography in AVI files. Runs LSB analysis on frames, checks for appended data, analyzes frame size variance |\n| `video_frame_lsb` | LSB analysis of a specific video frame. Extracts raw pixel data, checks LSB balance/distribution and entropy |\n| `video_frame_extract` | Extract LSB bits from specified frames. Assembles into byte stream with hex dump and text preview |\n| `video_frame_compare` | Compare two frames byte-by-byte. Reports MSE, PSNR, max difference, and LSB-only modification detection |\n| `video_inter_frame` | Analyze idx1 index entries for keyframe vs delta frame distribution, flag histogram, and size statistics |\n| `video_metadata` | Extract AVI metadata: dimensions, FPS, codec, stream details, duration, audio presence |\n| `video_structure` | Recursively visualize the RIFF/LIST chunk tree with fourCC codes, offsets, and sizes |\n| `video_eof_data` | Detect and analyze data appended after the RIFF container boundary |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eGIF Steganography (8)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `gif_detect` | Auto-detect GIF steganography. Analyzes color table LSBs, appended data, comment extensions, animation anomalies |\n| `gif_palette` | Palette analysis: sort order, duplicates, unused entries, luminance distribution, LSB-differing adjacent pairs |\n| `gif_palette_lsb` | Extract LSB from each R/G/B channel of the global color table. Per-channel balance and chi-square tests |\n| `gif_frame_analysis` | Multi-frame animation analysis: per-frame size, delay times, disposal methods, local color tables |\n| `gif_comment` | Extract all comment extensions with text content, entropy, printable ratio, and hex dump |\n| `gif_appext` | Application extension analysis. Parses NETSCAPE loop counts, detects non-standard extensions |\n| `gif_lzw_analysis` | LZW sub-block entropy analysis per frame. Detects anomalous sub-block sizes and cross-frame entropy outliers |\n| `gif_structure` | Visualize complete GIF block structure: header, color tables, extensions, image descriptors, trailer |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eNetwork Steganography (8)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `net_detect` | Auto-detect network steganography in PCAP files. Runs IP covert field, ICMP payload, DNS tunneling, and timing analysis |\n| `net_ip_header` | IP header covert field analysis. TTL patterns, IP identification entropy, TOS/DSCP usage |\n| `net_tcp_header` | TCP seq/ack number analysis. ISN analysis, per-flow sequence increments, TCP options, window size variability |\n| `net_icmp_payload` | ICMP echo payload analysis. Per-packet entropy, printable content ratio, payload size anomalies |\n| `net_dns_tunnel` | DNS tunneling detection. Subdomain length distribution, per-label entropy, TXT record usage, query frequency |\n| `net_http_header` | HTTP header covert channel analysis. Custom headers, X-header entropy, cookie value entropy |\n| `net_timing` | Inter-packet timing analysis. Interval statistics, timing covert channel detection via binary splitting |\n| `net_stats` | PCAP statistics summary. Protocol distribution, top IP pairs, port usage, throughput |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eMP3 Steganography (7)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `mp3_detect` | Auto-detect MP3 steganography. Checks ID3 padding, PRIV frames, pre-audio gaps, trailing data, bitrate anomalies |\n| `mp3_frame_analysis` | Frame header analysis. Bitrate distribution, padding bit entropy, frame size statistics, channel mode consistency |\n| `mp3_id3_hidden` | ID3v1/v2 hidden data analysis. APIC, PRIV, GEOB frames, unknown frame IDs, padding content inspection |\n| `mp3_padding` | Bit reservoir/padding manipulation detection. Pre-audio gaps, inter-frame gaps with per-gap entropy |\n| `mp3_sample_analysis` | Statistical analysis of frame sizes. Distribution histogram, entropy of sizes and deltas, outlier detection |\n| `mp3_metadata` | Full MP3 metadata extraction. Audio properties, ID3v2 frames with decoded text, file structure layout |\n| `mp3_structure` | Frame structure visualization. Per-frame table, bitrate map, and padding bit map |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eSpread Spectrum (5)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `spread_dft_analysis` | DFT magnitude spectrum analysis. Spectral flatness, frequency band energy, dominant frequencies for hidden signal detection |\n| `spread_correlation` | Autocorrelation-based detection. Finds periodic embedding patterns, distinguishes natural peaks from suspicious ones |\n| `spread_watermark_detect` | Statistical watermark detection. Block-based pixel variance comparison, checkerboard patterns, quadrant uniformity |\n| `spread_noise_analysis` | Noise floor embedding detection. Laplacian noise estimation, smooth vs textured region noise comparison |\n| `spread_patchwork` | Patchwork watermark detection. Multi-seed PRNG group splitting, statistical hypothesis testing |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eBPCS Analysis (5)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `bpcs_detect` | Auto-detect BPCS embedding. Complexity analysis across all 24 bit planes (8 planes x 3 channels), MSB/LSB trend analysis |\n| `bpcs_complexity_map` | Full complexity map with ASCII spatial visualization and distribution histograms for all 8 bit planes |\n| `bpcs_threshold` | Threshold sweep analysis from 0.05 to 0.95. Finds optimal BPCS boundary and suspicious complexity patterns |\n| `bpcs_extract` | Extract data from complex regions. Gathers bits above threshold in raster-scan order, analyzes for structure |\n| `bpcs_capacity` | Estimate BPCS embedding capacity across all channels and planes, accounting for conjugation map overhead |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eArchive Steganography (7)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `archive_detect` | Auto-detect archive steganography. Checks slack spaces, prepended/appended data, unusual extra fields, comments |\n| `archive_structure` | ZIP entry structure analysis. Lists all local file headers with offsets, sizes, compression methods, CRC-32 |\n| `archive_extra_fields` | Parse extra fields from local and central directory entries. Flags unknown header IDs as potential hiding spots |\n| `archive_comment` | Extract archive-level and per-file comments with entropy analysis and hex dumps |\n| `archive_slack` | Identify gaps between ZIP entries with size, entropy, printable ratio, and hex dumps |\n| `archive_polyglot` | Detect if ZIP has prepended/appended data valid as another format (PDF, PNG, ELF, PE, etc.) |\n| `archive_metadata` | Summary of file count, compression ratios, timestamps, version info, encryption flags |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eCreate \u0026 Embed (7)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `create_eof_inject` | Append data after a file's EOF marker. Takes file_path, data, and output_path |\n| `create_metadata` | Inject data into metadata fields. PNG tEXt chunks, JPEG COM segments, generic append |\n| `create_whitespace` | Encode data in trailing whitespace (space=0, tab=1) on text file lines |\n| `create_null_cipher` | Generate null cipher text. First-letter mode or nth-word arrangement |\n| `create_polyglot` | Concatenate two files to create a polyglot valid as both formats |\n| `create_comment` | Inject into format-specific comment fields (PNG tEXt, JPEG COM, GIF Comment Extension) |\n| `create_palette` | Embed data in palette LSBs for indexed PNG (PLTE) and GIF (Global Color Table) |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch3\u003eQR Code Steganography (6)\u003c/h3\u003e\u003c/summary\u003e\n\n| Tool | Description |\n|------|-------------|\n| `qr_detect` | Detect steganography in QR code images. Pixel distribution bimodality, LSB randomization, non-pure module values |\n| `qr_structure` | QR structure analysis. Finder patterns, version estimation, module size, grid dimensions |\n| `qr_ecc_analysis` | Error correction capacity analysis. ECC levels L/M/Q/H, steganographic capacity from sacrificing ECC codewords |\n| `qr_module_analysis` | Per-module pixel variance analysis. Clean QR codes should have zero intra-module variance |\n| `qr_data_extract` | Extract data region pixels excluding function patterns. Module values, binary string, entropy statistics |\n| `qr_compare` | Compare two QR code images. Data region vs function pattern differences, LSB-only modification detection |\n\n\u003c/details\u003e\n\n---\n\n## CLI Usage\n\n```bash\n# Show help\nnpx -y steganography-mcp --help\n\n# List all 128 tools with descriptions\nnpx -y steganography-mcp --list\n\n# Detect steganography in an image\nnpx -y steganography-mcp --tool img_detect '{\"file_path\":\"challenge.png\"}'\n\n# Extract hidden message from LSBs\nnpx -y steganography-mcp --tool img_lsb_extract '{\"file_path\":\"stego.png\"}'\n\n# Chi-square steganalysis\nnpx -y steganography-mcp --tool img_chi_square '{\"file_path\":\"suspect.png\"}'\n\n# RS analysis (Fridrich-Goljan-Du method)\nnpx -y steganography-mcp --tool img_rs_analysis '{\"file_path\":\"suspect.png\"}'\n\n# JPEG double compression detection\nnpx -y steganography-mcp --tool jpeg_double_compression '{\"file_path\":\"photo.jpg\"}'\n\n# Deep EXIF analysis\nnpx -y steganography-mcp --tool jpeg_exif_deep '{\"file_path\":\"photo.jpg\"}'\n\n# Audio steganography detection\nnpx -y steganography-mcp --tool audio_detect '{\"file_path\":\"message.wav\"}'\n\n# Detect zero-width character encoding\nnpx -y steganography-mcp --tool text_zwc_detect '{\"text\":\"suspicious text here\"}'\n\n# Embed a hidden message with zero-width characters\nnpx -y steganography-mcp --tool text_zwc_embed '{\"text\":\"cover text\",\"message\":\"secret\"}'\n\n# Identify file type and detect polyglots\nnpx -y steganography-mcp --tool file_polyglot '{\"file_path\":\"suspicious.pdf\"}'\n\n# Scan for embedded files (binwalk-style)\nnpx -y steganography-mcp --tool file_embedded '{\"file_path\":\"mystery.bin\"}'\n\n# Entropy visualization\nnpx -y steganography-mcp --tool file_entropy_visual '{\"file_path\":\"data.bin\"}'\n\n# Auto-detect encoding\nnpx -y steganography-mcp --tool crypto_detect '{\"input\":\"aGVsbG8gd29ybGQ=\"}'\n\n# XOR brute-force\nnpx -y steganography-mcp --tool crypto_xor '{\"input\":\"4f5243484e\"}'\n\n# Detect cipher patterns\nnpx -y steganography-mcp --tool crypto_patterns '{\"input\":\"Gur dhvpx oebja sbk\"}'\n\n# Video steganography detection\nnpx -y steganography-mcp --tool video_detect '{\"file_path\":\"movie.avi\"}'\n\n# GIF palette LSB analysis\nnpx -y steganography-mcp --tool gif_palette_lsb '{\"file_path\":\"animation.gif\"}'\n\n# Network covert channel detection\nnpx -y steganography-mcp --tool net_dns_tunnel '{\"file_path\":\"capture.pcap\"}'\n\n# MP3 hidden data detection\nnpx -y steganography-mcp --tool mp3_detect '{\"file_path\":\"song.mp3\"}'\n\n# F5 JPEG stego detection\nnpx -y steganography-mcp --tool jpegadv_f5_detect '{\"file_path\":\"suspect.jpg\"}'\n\n# BPCS embedding detection\nnpx -y steganography-mcp --tool bpcs_detect '{\"file_path\":\"image.png\"}'\n\n# Archive slack space analysis\nnpx -y steganography-mcp --tool archive_slack '{\"file_path\":\"archive.zip\"}'\n\n# QR code stego detection\nnpx -y steganography-mcp --tool qr_detect '{\"file_path\":\"qrcode.bmp\"}'\n\n# Spread spectrum watermark detection\nnpx -y steganography-mcp --tool spread_patchwork '{\"file_path\":\"image.png\"}'\n\n# Create a polyglot file\nnpx -y steganography-mcp --tool create_polyglot '{\"file1_path\":\"image.png\",\"file2_path\":\"secret.zip\",\"output_path\":\"polyglot.png\"}'\n\n# Using Bun (faster startup)\nbunx steganography-mcp --tool img_detect '{\"file_path\":\"image.png\"}'\n```\n\n---\n\n## Use Cases\n\n### CTF Challenges\nSolve steganography challenges in capture-the-flag competitions. The AI agent can systematically apply all detection techniques \u0026mdash; LSB analysis, metadata inspection, appended data, encoding detection, and cipher identification \u0026mdash; to find hidden flags in images, audio files, documents, and text.\n\n### Digital Forensics\nDetect covert communication channels in forensic investigations. Analyze suspect files for hidden data using statistical steganalysis (chi-square, RS analysis), check for data appended after EOF markers, scan for embedded files, and identify steganography tool signatures.\n\n### Security Research\nAnalyze steganography tools and techniques. Compare original and stego images pixel-by-pixel, study DCT coefficient distributions in JPEG stego, measure entropy changes from embedding, and reverse-engineer encoding schemes.\n\n### Education\nLearn how steganography techniques work. Embed and extract LSB messages, encode text with zero-width characters, visualize bit planes and entropy maps, analyze file structures with hex dumps, and study cipher patterns with frequency analysis.\n\n### Incident Response\nDuring incident response, check documents and images for hidden exfiltration channels. Scan PDFs for hidden JavaScript and embedded files, detect zero-width character encoding in emails, identify polyglot files, and analyze suspicious encodings.\n\n---\n\n## Architecture\n\n```\nsrc/\n  index.ts                    # CLI entrypoint (--help, --list, --tool, stdio server)\n  protocol/\n    mcp-server.ts             # MCP server setup (stdio transport)\n    tools.ts                  # Tool registry — all 128 tools assembled here\n  types/\n    index.ts                  # Shared types (ToolDef, ToolContext, ToolResult)\n  utils/\n    binary.ts                 # Binary file reading, hex dump, format detection\n    stats.ts                  # Shannon entropy, chi-square, DFT, autocorrelation, BPCS complexity, patchwork test\n    cache.ts                  # TTL cache\n    png-parser.ts             # Pure TS PNG parser (IHDR, chunks, pixel data)\n    jpeg-parser.ts            # Pure TS JPEG parser (markers, EXIF, quantization, DCT coefficients)\n    wav-parser.ts             # Pure TS WAV parser (RIFF chunks, PCM samples)\n    bmp-parser.ts             # Pure TS BMP parser (header, pixel data)\n    avi-parser.ts             # Pure TS AVI/RIFF parser (chunks, streams, idx1, frames)\n    gif-parser.ts             # Pure TS GIF89a parser (color tables, extensions, LZW blocks)\n    pcap-parser.ts            # Pure TS PCAP parser (IP/TCP/UDP/ICMP/DNS/HTTP)\n    mp3-parser.ts             # Pure TS MP3 parser (ID3v1/v2, frame headers)\n    zip-parser.ts             # Pure TS ZIP parser (local headers, central directory, extra fields)\n  image/                      # Image Steganalysis tools (14)\n  jpeg/                       # JPEG Analysis tools (7)\n  jpegadv/                    # Advanced JPEG tools (7) — F5, JSteg, OutGuess, PVD\n  audio/                      # Audio Steganalysis tools (7)\n  text/                       # Text \u0026 Unicode tools (10)\n  file/                       # File Forensics tools (10)\n  document/                   # Document Analysis tools (5)\n  crypto/                     # Encoding \u0026 Crypto tools (7)\n  video/                      # Video Steganography tools (8) — AVI frame analysis\n  gif/                        # GIF Steganography tools (8) — palette, LZW, animation\n  network/                    # Network Steganography tools (8) — PCAP covert channels\n  mp3/                        # MP3 Steganography tools (7) — ID3, padding, frames\n  spread/                     # Spread Spectrum tools (5) — DFT, watermark, patchwork\n  bpcs/                       # BPCS Analysis tools (5) — bit-plane complexity\n  archive/                    # Archive Steganography tools (7) — ZIP slack, extra fields\n  create/                     # Create \u0026 Embed tools (7) — EOF inject, polyglot, palette\n  qrcode/                     # QR Code Steganography tools (6) — ECC, modules, compare\n  data/\n    encoding-patterns.ts      # Encoding regex patterns + decoders\n    magic-bytes.ts            # File signature database (100+ formats)\n    stego-signatures.ts       # Known steganography tool signatures\n    unicode-invisible.ts      # Invisible Unicode character database\n```\n\n**Design decisions:**\n\n- **4 dependencies, nothing else** \u0026mdash; `@modelcontextprotocol/sdk` for the MCP protocol, `zod` for input validation, `pngjs` for PNG pixel access, `jpeg-js` for JPEG decoding. No bloated dependency tree. No native modules. No C bindings. No Python. No Java.\n- **100% offline** \u0026mdash; Every tool runs entirely locally. No HTTP requests. No API calls. No telemetry. No cloud dependencies. Your files never leave your machine.\n- **Pure TypeScript statistical analysis** \u0026mdash; Chi-square test, RS analysis (Fridrich-Goljan-Du), Sample Pair Analysis, Shannon entropy, DFT, autocorrelation, BPCS border complexity, patchwork test, Index of Coincidence, and frequency analysis are all implemented in pure TypeScript. No external math libraries.\n- **11 custom format parsers** \u0026mdash; PNG, JPEG, WAV, BMP, AVI/RIFF, GIF89a, PCAP, MP3/ID3, and ZIP are parsed with zero external dependencies using the `utils/` parsers. This allows deep format-specific analysis that general-purpose libraries cannot provide.\n- **17 providers, 1 server** \u0026mdash; Each analysis category is an independent module. The AI agent picks which tools to use based on the investigation context.\n- **Clean ToolDef pattern** \u0026mdash; Every tool follows the same `{ name, description, schema, execute }` pattern. Adding a new tool is a single object in the appropriate module.\n- **Zod validation on every field** \u0026mdash; Every schema field has `.describe()` for AI agent context. Invalid inputs are caught before execution with clear error messages.\n\n---\n\n## Part of the MCP Security Suite\n\n| Project | Domain | Tools |\n|---|---|---|\n| [hackbrowser-mcp](https://github.com/badchars/hackbrowser-mcp) | Browser-based security testing | 39 tools |\n| [cloud-audit-mcp](https://github.com/badchars/cloud-audit-mcp) | Cloud security (AWS/Azure/GCP) | 38 tools |\n| [github-security-mcp](https://github.com/badchars/github-security-mcp) | GitHub security posture | 39 tools |\n| [cve-mcp](https://github.com/badchars/cve-mcp) | Vulnerability intelligence | 23 tools |\n| [osint-mcp-server](https://github.com/badchars/osint-mcp-server) | OSINT \u0026 reconnaissance | 37 tools |\n| [darknet-mcp-server](https://github.com/badchars/darknet-mcp-server) | Dark web \u0026 threat intelligence | 66 tools |\n| [dns-security-mcp](https://github.com/badchars/dns-security-mcp) | DNS security intelligence | 103 tools |\n| **steganography-mcp** | **Steganography analysis** | **128 tools** |\n\n---\n\n## Contributing\n\nContributions are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n---\n\n\u003cp align=\"center\"\u003e\n\u003cb\u003eFor authorized security research and educational purposes only.\u003c/b\u003e\u003cbr\u003e\nAlways ensure you have proper authorization before performing steganography analysis on files you do not own.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"LICENSE\"\u003eMIT License\u003c/a\u003e \u0026bull; Built by \u003ca href=\"https://orhanyildirim.us\"\u003eOrhan Yildirim\u003c/a\u003e \u0026bull; \u003ca href=\"mailto:contact@orhanyildirim.us\"\u003econtact@orhanyildirim.us\u003c/a\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbadchars%2Fsteganography-mcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbadchars%2Fsteganography-mcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbadchars%2Fsteganography-mcp/lists"}