Labsco
infai-tech logo

Vulnfeed MCP

from infai-tech

Dependency vulnerability scanner with EPSS exploit scoring. Scans lockfiles, prioritizes by actual exploit probability, recommends fix versions. 9 MCP tools. Free tier + $14/mo subscription + x402 micropayments.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedPaid serviceNeeds API keys

VulnFeed โ€” Dependency Vulnerability Monitoring for Claude Code

vulnfeed-mcp MCP server

An MCP server that scans your project dependencies for known vulnerabilities, enriches with EPSS exploit probability scores, and recommends fix versions.

Free tier โ€” 10 scans/day, 1 monitored project, no signup required.

Homepage: vulnfeed.novadyne.ai

Tools

Scanning

ToolDescription
scan_projectAuto-detect and scan all lockfiles in a directory
scan_lockfileScan a specific lockfile
check_packageCheck a single package for vulnerabilities
lookup_cveDetailed CVE info with EPSS + fix versions

Monitoring

ToolDescription
monitor_projectRegister for continuous monitoring
check_alertsNew vulns since last scan
update_depsUpdate snapshot after upgrading packages
list_monitoredSee all monitored projects
unmonitor_projectRemove from monitoring

Supported lockfiles

  • package-lock.json (npm)
  • yarn.lock (Yarn)
  • pnpm-lock.yaml (pnpm)
  • requirements.txt (pip)
  • Pipfile.lock (Pipenv)
  • go.sum / go.mod (Go)
  • Cargo.lock (Rust)
  • Gemfile.lock (Ruby)
  • composer.lock (PHP)

How it works

  1. Parses your lockfile to extract dependency names + versions
  2. Queries OSV.dev (NVD + GitHub Advisories) for known CVEs
  3. Enriches with EPSS exploit probability scores
  4. Filters noise โ€” suppresses low-EPSS, non-critical CVEs by default
  5. Sorts by exploitability โ€” most likely to be exploited first
  6. Returns fix version recommendations from package registries

Smart filtering

By default, VulnFeed suppresses low-priority CVEs (EPSS < 10% AND CVSS < 9.0). This cuts noise by ~80%.

Pass show_all=True to any scan tool to see everything.

Continuous monitoring

  1. monitor_project โ€” takes a baseline snapshot of current deps + known vulns
  2. check_alerts โ€” diffs against baseline, surfaces only new vulns
  3. Run check_alerts periodically to catch newly published CVEs