Labsco
mukul975 logo

CVE MCP Server

β˜… 1,100

from mukul975

A production-grade Model Context Protocol (MCP) server that turns Claude into a full-spectrum security analyst. Instead of juggling 15+ browser tabs across NVD, EPSS, CISA KEV, Shodan, VirusTotal, and GreyNoise, ask Claude one question and get correlated intelligence in seconds. Built with Python, FastMCP, httpx, aiosqlite, Pydantic v2, and defusedxml.

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredAdvanced setup

πŸ›‘οΈ CVE MCP Server

CVE MCP Server

AI-powered security intelligence at your fingertips β€” 28 tools + a one-call triage_cve orchestrator, 24 data sources, one protocol. GARS-2026 Survey Python 3.10+ License: MIT MCP Compatible Security Tool FastMCP

A production-grade Model Context Protocol (MCP) server that turns Claude into a full-spectrum security analyst. Instead of juggling 15+ browser tabs across NVD, EPSS, CISA KEV, Shodan, VirusTotal, and GreyNoise, ask Claude one question and get correlated intelligence in seconds. Built with Python, FastMCP, httpx, aiosqlite, Pydantic v2, and defusedxml.

The problem: Triaging a single CVE means querying NVD for CVSS scores, EPSS for exploitation probability, CISA KEV for active exploitation status, GitHub for patches, and VirusTotal for malware associations β€” then mentally correlating everything. For 50 CVEs, that's an entire day lost.

The solution: CVE MCP Server gives Claude direct access to 28 security tools across 24 APIs β€” fronted by the triage_cve one-call orchestrator. Ask "Should we patch CVE-2024-3400?" and Claude fans out to every relevant source in parallel, calculates a composite risk score (with a CISA KEV hard override), and delivers a prioritized recommendation with evidence.


🌍 GARS-2026 β€” Global Agentic AI Readiness Survey

I'm running a global academic study measuring how ready security professionals, developers, and enterprise teams actually are for agentic AI β€” MCP servers, tool calling, governance, and human-in-the-loop workflows.

If you use this repo, your response would be a genuinely valuable data point.

πŸ“‹ Take the survey (10 min): Survey

  • 60 questions Β· Anonymous Β· Supervised by SRH Berlin
  • You get 50 Casky Tokens for early access to casky.ai
  • Results published open access under CC-BY 4.0

πŸ“‘ Table of contents


πŸ—οΈ Architecture

Copy & paste β€” that's it
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                        Claude Desktop / Claude Code                 β”‚
β”‚                         (MCP Client via stdio)                      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                               β”‚ Model Context Protocol (stdio)
                               β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                        CVE MCP Server (Python)                      β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”              β”‚
β”‚  β”‚  27 MCP      β”‚  β”‚  Composite   β”‚  β”‚  SQLite Cache β”‚              β”‚
β”‚  β”‚  Tools       β”‚  β”‚  Risk Engine β”‚  β”‚  + Audit Log  β”‚              β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜              β”‚
β”‚         β”‚                β”‚                   β”‚                      β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”               β”‚
β”‚  β”‚              Async HTTP Client (httpx)            β”‚               β”‚
β”‚  β”‚         Rate Limiter Β· Response Cache             β”‚               β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜               β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                          β”‚ HTTPS (outbound only)
          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β–Ό               β–Ό                           β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ VULNERABILITYβ”‚ β”‚   NETWORK    β”‚            β”‚   THREAT     β”‚
β”‚ INTELLIGENCE β”‚ β”‚ INTELLIGENCE β”‚            β”‚ INTELLIGENCE β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€            β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ NVD API 2.0  β”‚ β”‚ AbuseIPDB    β”‚            β”‚ VirusTotal   β”‚
β”‚ EPSS / FIRST β”‚ β”‚ GreyNoise v3 β”‚            β”‚ MalwareBazaarβ”‚
β”‚ CISA KEV     β”‚ β”‚ Shodan       β”‚            β”‚ ThreatFox    β”‚
β”‚ OSV.dev      β”‚ β”‚ CIRCL PDNS   β”‚            β”‚ Ransomwhere  β”‚
β”‚ GitHub GHSA  β”‚ β”‚              β”‚            β”‚ AlienVault   β”‚
β”‚ MITRE ATT&CK β”‚ β”‚              β”‚            β”‚ URLScan.io   β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜            β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

All traffic is outbound HTTPS only β€” no inbound ports are opened. API keys are loaded from environment variables and never logged. Private/internal IP addresses are blocked from all lookup tools.


πŸ” Tool catalog (28 tools)

⭐ Orchestration (v0.2.0) β€” start here

ToolDescriptionAPI Key RequiredExample Usage
triage_cveOne-call triage that fans out NVD + EPSS + CISA KEV (+ public PoC for depth != "quick") concurrently, computes the composite risk score with a KEV hard override, falls back to VulnCheck NVD++ when NIST NVD is throttled, and on depth="deep" emits the SSVC v2 gated decisionFree / No key (key recommended)triage_cve("CVE-2021-44228", depth="deep")

Also exposed via MCP primitives β€” Resources: kev://catalog, epss://scores/{cve_id}, manifest://tool-hash (SHA-256 over the registered tool surface, for tamper detection). Prompts: patch_decision, compare_and_prioritize, dependency_triage.

Core Vulnerability Intelligence (8 tools)

ToolDescriptionAPI Key RequiredExample Usage
lookup_cveFetch detailed CVE record from NVD including CVSS scores, CWEs, affected products, references, and timelineFree / No key (key recommended)lookup_cve("CVE-2024-3400")
search_cvesSearch NVD for CVEs by keyword, product name, severity, or date rangeFree / No key (key recommended)search_cves(keyword="Apache Log4j", severity="CRITICAL")
get_epss_scoreGet EPSS exploitation probability (0–1) and percentile for one or more CVEsFree / No keyget_epss_score("CVE-2024-3400")
check_kev_statusCheck whether a CVE appears in CISA's Known Exploited Vulnerabilities catalogFree / No keycheck_kev_status("CVE-2021-44228")
get_cvss_detailsParse and explain a CVSS v3.1 vector string with per-metric breakdownFree / No keyget_cvss_details("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H")
get_cwe_infoLook up Common Weakness Enumeration details by CWE ID from embedded databaseFree / No keyget_cwe_info("CWE-79")
get_cve_referencesExtract and categorize all reference links for a CVE (patches, advisories, exploits)Free / No key (key recommended)get_cve_references("CVE-2023-44487")
bulk_cve_lookupBatch-fetch details for up to 20 CVEs in a single call with parallel enrichmentFree / No key (key recommended)bulk_cve_lookup(["CVE-2024-3400", "CVE-2023-44487"])

Exploit & Attack Intelligence (4 tools)

ToolDescriptionAPI Key RequiredExample Usage
search_exploitsSearch GitHub for public proof-of-concept exploits and exploit code repositoriesGITHUB_TOKEN (optional)search_exploits("CVE-2024-3400")
get_mitre_techniquesMap a CVE or CWE to relevant MITRE ATT&CK techniques, tactics, and mitigationsFree / No keyget_mitre_techniques("CVE-2021-44228")
check_poc_availabilityDetermine if known proof-of-concept code exists for a CVE across multiple sourcesGITHUB_TOKEN (optional)check_poc_availability("CVE-2024-3400")
get_attack_patternsRetrieve CAPEC attack pattern details associated with a CWE or CVEFree / No keyget_attack_patterns("CWE-89")

Phase 3: Advanced Risk & Reporting (4 tools)

ToolDescriptionAPI Key RequiredExample Usage
calculate_risk_scoreCompute composite 0–100 risk score using CVSS, EPSS, KEV status, and PoC availabilityFree / No key (key recommended)calculate_risk_score("CVE-2024-3400")
generate_risk_reportGenerate a formatted executive security report for one or more CVEs with recommendationsFree / No key (key recommended)generate_risk_report(["CVE-2024-3400", "CVE-2023-44487"])
prioritize_cvesRank a list of CVEs by composite risk score for triage prioritizationFree / No key (key recommended)prioritize_cves(["CVE-2024-3400", "CVE-2023-4966", "CVE-2023-44487"])
get_trending_cvesRetrieve trending CVEs based on high EPSS scores and recent KEV additionsFree / No keyget_trending_cves(days=7, min_epss=0.5)

Network Intelligence (4 tools)

ToolDescriptionAPI Key RequiredExample Usage
lookup_ip_reputationCheck IP address abuse history and confidence score via AbuseIPDBABUSEIPDB_API_KEYlookup_ip_reputation("185.220.101.34")
check_ip_noiseQuery GreyNoise for IP scan/attack activity, classification, and associated CVEsGREYNOISE_API_KEYcheck_ip_noise("185.220.101.34")
shodan_host_lookupGet open ports, services, banners, and vulnerabilities for an IP via ShodanSHODAN_API_KEYshodan_host_lookup("8.8.8.8")
passive_dns_lookupRetrieve historical DNS resolution data for a domain from CIRCL Passive DNSCIRCL_PDNS_USER + CIRCL_PDNS_PASSWORDpassive_dns_lookup("example.com")

Threat Intelligence (4 tools)

ToolDescriptionAPI Key RequiredExample Usage
virustotal_lookupAnalyze file hashes, URLs, domains, or IPs against 70+ antivirus enginesVIRUSTOTAL_API_KEYvirustotal_lookup(hash="44d88612fea8a8f36de82e1278abb02f")
search_malwareSearch MalwareBazaar for malware samples by hash, tag, or signatureABUSECH_AUTH_KEY (optional)search_malware(tag="Emotet")
search_iocsQuery ThreatFox for Indicators of Compromise linked to malware familiesABUSECH_AUTH_KEY (optional)search_iocs(malware="CobaltStrike")
check_ransomwareLook up ransomware payment addresses and transaction data from RansomwhereFree / No keycheck_ransomware(address="bc1q...")

DevSecOps (3 tools)

ToolDescriptionAPI Key RequiredExample Usage
scan_dependenciesScan package names and versions against OSV.dev for known vulnerabilitiesFree / No keyscan_dependencies(ecosystem="PyPI", packages={"requests": "2.28.0"})
scan_github_advisoriesSearch GitHub Security Advisories by ecosystem, package, or severityGITHUB_TOKEN (optional)scan_github_advisories(ecosystem="pip", package="django")
urlscan_checkSubmit a URL for scanning or retrieve previous scan results from URLScan.ioURLSCAN_API_KEYurlscan_check("https://suspicious-site.com")

πŸ“Š Risk score explained

The calculate_risk_score tool produces a composite risk score from 0 to 100 by weighting four independent signals.

The formula

Copy & paste β€” that's it
Risk Score = (CVSS Γ— 0.20) + (EPSS Γ— 0.35) + (KEV Γ— 0.30) + (PoC Γ— 0.15)
ComponentWeightWhat It Captures
CVSS v3.1 Base Score20%Theoretical worst-case severity
EPSS Probability35%Statistical likelihood of exploitation in the next 30 days
CISA KEV Status30%Confirmed active exploitation in the wild
PoC Availability15%Public exploit code lowers the barrier for attackers

Boost multipliers

  • KEV + active PoC β†’ Γ—1.15
  • CVSS β‰₯ 9.0 + EPSS > 0.7 β†’ Γ—1.10
  • Published < 7 days ago β†’ Γ—1.05

Score is capped at 100.

Risk Scoring β€” v1 (2026-06)

The numeric scorer is scoring_version 1.0 (surfaced in triage_cve, calculate_risk_score, and health_check). The linear weighted sum above is the v1 default for the numeric score, with one hard override:

  • CISA KEV hard override: a KEV-listed CVE is confirmed exploited in the wild, the single strongest exploitation signal. Its label can never be lower than CRITICAL and its score is clamped to β‰₯ 76, regardless of CVSS/EPSS. (A KEV CVE with a low CVSS and low EPSS still returns CRITICAL / 76.)
  • CVSS is treated as a severity signal, not an exploitation-likelihood signal (per Allodi & Massacci 2014); EPSS and KEV carry the exploitation signal.
  • An experimental SSVC v2 gated decision (CISA Deployer model β†’ Act / Attend / Track* / Track) is available via triage_cve(depth="deep") as a qualitative, explainable alternative to the 0–100 number.
ScoreLabelRecommended Action
0 – 25LOWSchedule for next maintenance window
26 – 50MEDIUMPatch within 30 days per SLA
51 – 75HIGHPatch within 7 days; escalate to team lead
76 – 100CRITICALPatch within 24–48 hours. Emergency change window.

Why these weights?

EPSS gets the highest weight (35%) because it's the single best predictor of actual exploitation β€” far better than CVSS alone. A CVSS 10.0 with EPSS 0.01 is theoretically dangerous but practically unlikely. KEV at 30% is ground truth: confirmed exploitation, not a prediction. CVSS at 20% captures severity context for new CVEs with insufficient EPSS data. PoC at 15% reflects that public exploits dramatically accelerate real-world attacks.


πŸ†• What's new in v0.2.0

  • triage_cve orchestrator β€” one tool call that fans out NVD + EPSS + CISA KEV (+ public PoC discovery for depth != "quick") concurrently, computes the composite risk score, and returns a clean report. depth is quick / standard (default) / deep; deep additionally emits the SSVC v2 gated decision.
  • New upstream sources β€” VulnCheck NVD++ (a transparent NVD fallback used automatically inside triage_cve when NIST NVD is unreachable/throttled), CIRCL hashlookup, and the HIBP Pwned Passwords range API.
  • KEV hard-override scoring + scoring_version β€” KEV-listed CVEs are always CRITICAL (score β‰₯ 76); the scoring version is reported in triage_cve and health_check.
  • HTTP transport β€” set MCP_TRANSPORT=http to serve streamable-HTTP on HOST:PORT (default 0.0.0.0:8000, stateless) instead of stdio. Ships with a Dockerfile.
  • Resources & prompts β€” resources kev://catalog, epss://scores/{cve_id}, and manifest://tool-hash (SHA-256 over the registered tool surface); prompts patch_decision, compare_and_prioritize, and dependency_triage.
  • Security posture β€” the server never registers a sampling handler / never issues sampling/createMessage (Unit 42 MCP-sampling attack vector); new outbound paths are scheme/host-allowlisted.

🌐 Data sources

#SourceData ProvidedAuthRate Limit (Free)
1NVDCVE details, CVSS, CWEs, CPEsapiKey header (optional)5 req/30s (50 with key)
2EPSSExploitation probability and percentilesNone1,000 req/min
3CISA KEVActively exploited CVE catalogNoneStatic file
4OSV.devOpen-source package vulnerabilitiesNoneNo published limit
5GitHub AdvisoriesGHSA advisories, patches, affected versionsBearer token60/hr (5,000 with PAT)
6MITRE ATT&CKTTPs, techniques, mitigationsNoneNo published limit
7AbuseIPDBIP abuse confidence, reports, ISP, geoKey header1,000 checks/day
8GreyNoiseIP noise/scan activity, classificationkey header50 queries/week
9ShodanOpen ports, services, banners, CVEskey query paramBasic lookups
10VirusTotalMulti-AV scan results, reputationx-apikey header500/day, 4/min
11MalwareBazaarMalware samples, hashes, signaturesAuth-Key headerFair use
12ThreatFoxIOCs linked to malware familiesAuth-Key headerFair use
13RansomwhereRansomware BTC addresses and transactionsNoneNo published limit
14URLScan.ioURL scanning, screenshots, DOMAPI-Key header5,000 public scans/day
15CIRCL PDNSHistorical passive DNS recordsHTTP Basic AuthPartner access
16GitHub Code SearchExploit PoC repository searchBearer tokenShared with GHSA limits
17Exploit-DBPublic exploit database CSVNoneNo published limit
18Nuclei TemplatesCommunity detection templatesNoneNo published limit
19MSRCMicrosoft security advisoriesNoneNo published limit
20Red Hat SecurityRed Hat CVE advisoriesNoneNo published limit
21Ubuntu SecurityUbuntu CVE trackerNoneNo published limit
22VulnCheck NVD++NVD-schema CVE records (transparent NVD fallback)Bearer token (free Community)Per VulnCheck Community tier
23CIRCL hashlookupKnown-good file metadata (NSRL + others), hashlookup:trustNoneBest-effort
24HIBP Pwned PasswordsBreached-password counts via k-anonymity range APINoneNo hard limit

πŸ›οΈ Architecture deep dive

File structure

Copy & paste β€” that's it
src/cve_mcp/
β”œβ”€β”€ server.py              # FastMCP server β€” all 27 @mcp.tool() definitions
β”œβ”€β”€ config.py              # Environment config and API base URLs
β”œβ”€β”€ models.py              # Pydantic models (CVERecord, KEVEntry, EPSSScore, ...)
β”œβ”€β”€ audit.py               # Rotating audit log (50MB, 5 backups)
β”œβ”€β”€ api/
β”‚   β”œβ”€β”€ nvd_client.py      # NVD REST API v2.0
β”‚   β”œβ”€β”€ osv_client.py      # OSV.dev package vulnerability API
β”‚   β”œβ”€β”€ epss_client.py     # FIRST EPSS API
β”‚   β”œβ”€β”€ kev_client.py      # CISA KEV catalog
β”‚   β”œβ”€β”€ ip_intel.py        # AbuseIPDB + GreyNoise
β”‚   β”œβ”€β”€ domain_intel.py    # crt.sh + CIRCL passive DNS
β”‚   β”œβ”€β”€ shodan_client.py   # Shodan host intelligence
β”‚   β”œβ”€β”€ hash_intel.py      # MalwareBazaar + VirusTotal
β”‚   β”œβ”€β”€ url_safety.py      # URLScan.io
β”‚   β”œβ”€β”€ malware_intel.py   # ThreatFox IOC lookup
β”‚   β”œβ”€β”€ ransomware_intel.py# Ransomwhere Bitcoin address lookup
β”‚   β”œβ”€β”€ exploit_intel.py   # GitHub PoC/exploit search
β”‚   β”œβ”€β”€ vendor_advisory.py # MSRC + Red Hat + Ubuntu advisories
β”‚   β”œβ”€β”€ attack_mapping.py  # MITRE ATT&CK STIX mapping
β”‚   β”œβ”€β”€ cve_timeline.py    # CVE event timeline builder
β”‚   β”œβ”€β”€ dependency_scan.py # OSV-based dependency scanning
β”‚   β”œβ”€β”€ poc_checker.py     # GitHub + Exploit-DB + Nuclei PoC search
β”‚   β”œβ”€β”€ report_generator.py# Vuln report + CVE comparison matrix
β”‚   └── rate_limiter.py    # Token bucket rate limiter for NVD
β”œβ”€β”€ cache/
β”‚   └── sqlite_cache.py    # Async SQLite cache with per-key TTL
└── utils/
    β”œβ”€β”€ validators.py       # CVE ID normalization, IP/hash validation
    └── risk_scorer.py      # Composite risk score computation

Caching strategy

ResourceTTL
CVE records (NVD)1 hour
EPSS scores6 hours
KEV catalog1 hour
IP / domain intel1 hour
Exploit-DB CSV24 hours
ATT&CK STIX data24 hours
Ransomware intel24 hours

Audit log

Every tool invocation is logged to ~/.cve-mcp/audit.log:

Copy & paste β€” that's it
{
  "timestamp": "2026-04-14T10:23:45.123Z",
  "tool": "lookup_cve",
  "parameters": {"cve_id": "CVE-2024-3400"},
  "duration_ms": 342,
  "cache_hit": false,
  "status": "ok"
}

API keys and response payloads are never written to audit logs.


πŸ” Security and privacy

What data leaves your machine

  • Outbound HTTPS only β€” no inbound ports opened, no telemetry
  • CVE IDs, IPs, hashes, domains, and package names are sent to respective APIs for lookup
  • API responses are cached locally in SQLite β€” cached data stays on your machine

Private IP blocking

All network intelligence tools block private and reserved IP ranges before any external API call:

  • 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (RFC 1918)
  • 127.0.0.0/8 (loopback), 169.254.0.0/16 (link-local)
  • ::1, fc00::/7 (IPv6 private)

API key protection

  • Keys loaded from environment variables only β€” never hardcoded
  • .env is gitignored
  • Keys never logged, cached, or included in audit entries

XML safety

defusedxml is used for all XML parsing to prevent XML bomb attacks (billion laughs, XXE injection).


🀝 Contributing

Contributions are welcome.

Adding a new tool

  1. Add the tool function in server.py with the @mcp.tool() decorator
  2. Add input validation in utils/validators.py
  3. Implement the API client in api/
  4. Add tests in tests/
  5. Update this README
Copy & paste β€” that's it
@mcp.tool()
async def my_new_tool(param: str, ctx: Context = None) -> str:
    """
    One-line description for Claude to know when to use this tool.

    Args:
        param: Description of the parameter
    """
    app = _get_app(ctx)
    # validate β†’ cache check β†’ API call β†’ cache write β†’ audit β†’ return

Testing requirements

  • All new tools must have at least one offline test with mocked responses
  • Risk score changes must include formula verification test cases
  • Network tools must include a test verifying private IP blocking
  • All tests must pass: pytest tests/ -v

πŸ“„ License

MIT License β€” see LICENSE for details.

Copy & paste β€” that's it
Copyright (c) 2025-2026 Mahipal Jangra (mukul975)

<p align="center"> Built with πŸ” by <a href="https://github.com/mukul975">Mahipal Jangra</a> Β· Berlin, Germany<br> <em>Turning security intelligence into conversation.</em> </p>