An MCP server that reads your lockfile, checks NVD + GitHub Advisories, and tells you what actually matters — prioritized by real-world exploit probability, with exact fix versions.
Free tier — 10 scans/day, no signup. $14/mo for unlimited.
> Scan my project for vulnerabilities
Using: scan_project(".")
Scanning package-lock.json... 847 packages
Severity: HIGH | EPSS: 73.2% (HIGH) | Fix: upgrade to 4.21.0
Open redirect via malicious URL in res.location()
Severity: MODERATE | EPSS: 0.8% (low) | Fix: upgrade to 4.19.2
3 affected packages, 12 vulnerabilities total
Top priority: express — the GHSA-29mw vuln has 73% exploit probability
Reads your package-lock.json, requirements.txt, or go.sum and filters to only the CVEs that hit your actual dependency tree. No noise from packages you don't use.
Most CVEs are noise. EPSS (Exploit Prediction Scoring System) scores each one by real-world exploitability. VulnFeed surfaces the ones likely to be used in real attacks.
Not just "you're vulnerable" but upgrade express 4.17.1 → 4.21.0. Cross-references npm, PyPI, and Go registries for the exact version that fixes the issue.
Register your project once. Check back any time for new vulnerabilities. New CVE published at 3am? It's in the index by 3:15am for your morning session.
Scan a lockfile, check a package, look up a CVE, monitor a project, check alerts, update deps, list projects. Everything a security workflow needs.
Data sources are NVD, GitHub Advisory DB, and EPSS — all free, public APIs. No vendor lock-in, no data broker middlemen. Your $14 pays for the intelligence layer, not data access.
| Free MCP servers | Snyk / Socket | VulnFeed | |
|---|---|---|---|
| CVE lookup | ✓ | ✓ | ✓ |
| Knows your deps | — | ✓ | ✓ |
| EPSS prioritization | — | ✓ | ✓ |
| Fix recommendations | — | ✓ | ✓ |
| Continuous monitoring | — | ✓ | ✓ |
| MCP-native | ✓ | — | ✓ |
| Free tier | ✓ | — | ✓ (10 scans/day) |
| x402 micropayments | — | — | ✓ ($0.01/scan) |
| Price (paid) | Free | $25-49/dev/mo | $14/mo flat |
10 scans/day, 1 monitored project. Just add this to your MCP config:
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"]
}
}
}
Works in Claude Code, Claude Desktop, Cursor, VS Code, and Windsurf.
Add to Cursor Add to VS Code Add to Windsurf
Restart your client. Ask it to scan my project for vulnerabilities. That's it.
Unlimited scans, unlimited monitored projects. Add your license key:
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"],
"env": {
"VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"
}
}
}
}
Get your license key — flat rate, not per-seat, not per-repo.
AI agents can pay per request with USDC on Base — no account, no API key, no subscription. Your agent gets a 402 response, pays $0.01, and gets results. Works with any x402-compatible client.
# Agent sends request, gets HTTP 402 with payment details # x402 client library handles payment automatically # $0.01 per scan · $0.002 per CVE lookup · $0.05 per monitor # Discovery endpoint: curl https://vulnfeed-api.novadyne.ai/.well-known/x402
Uses the x402 protocol — USDC on Base via Coinbase facilitator. No middleman, instant settlement. View pricing & endpoints.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。