Summary
Gives your AI agent live access to Python package vulnerability data from PyPI and OSV so it can make safer dependency choices while coding. You get three tools: most_recent_not_vulnerable finds the latest clean release of a package, is_vulnerable checks if a specific pinned version has known CVEs, and lookup shows which versions in a range are affected. The agent calls them automatically when you ask it to add dependencies, audit a requirements file, or pin a version. Responses include CVE IDs, CVSS scores, severity ratings, and links to full advisories. Runs as a remote HTTP server at mcp.fetter.io, so there's nothing to install locally.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Fetter MCP
Fetter provides a remote Model Context Protocol (MCP) server at https://mcp.fetter.io/mcp that gives AI coding agents real-time access to Python package vulnerability data. Built on fetter, it queries PyPI and OSV to surface known CVEs, CVSS scores, and safe versions so your agent can make informed dependency decisions as it writes code.
Tools:
most_recent_not_vulnerable: find the latest release of a package that is free of known vulnerabilitiesis_vulnerable: check whether a specific pinned version has known CVEslookup: find available versions and their vulnerabilities for any package or specifier
Installation
The Fetter MCP server uses the HTTP transport and requires no local installation. Just register the remote URL with your MCP client.
Claude Code
claude mcp add --transport http fetter https://mcp.fetter.io/mcp
Codex
codex mcp add fetter --url https://mcp.fetter.io/mcp
Other MCP Clients
For any other MCP-compatible client, provide the following remote server URL using the HTTP transport:
https://mcp.fetter.io/mcp
Agent Usage
Once installed, the Fetter MCP tools are available to your AI agent during coding sessions. The agent can call them automatically when adding or auditing dependencies; no explicit tool invocation is required in your prompts.
Example prompts
- "Add the latest safe version of requests to requirements.txt"
- "Are there any known vulnerabilities in my current dependencies?"
- "What is the most recent version of pillow with no CVEs?"
- "Before pinning cryptography, check whether 42.0.5 is vulnerable"
The agent selects the appropriate tool based on context:
- Adding a new package:
most_recent_not_vulnerableto find a safe version - Validating a specific pinned version:
is_vulnerablefor a definitive answer - Auditing an existing specifier:
lookupto see affected versions
most_recent_not_vulnerable
Find the most recent version of a package that has no known vulnerabilities. Provide only a package name and the server will search recent releases for a safe version. Useful when pinning a dependency to the latest clean release.
Parameters
package_name— package name only (no version specifier), e.g."requests"
Example Request
{
"jsonrpc": "2.0",
"method": "tools/call",
"id": 2,
"params": {
"name": "most_recent_not_vulnerable",
"arguments": {
"name": "cryptography"
}
}
}
Example Response:
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"content": [],
"structuredContent": {
"package": "cryptography",
"version": "46.0.5",
"vulnerabilities": [],
"vulnerable": false
},
"isError": false
}
}
is_vulnerable
Check if a specific package version has known vulnerabilities. Requires an exact version specifier. Returns vulnerability IDs, summaries, CVSS scores, severity ratings, and reference URLs.
Parameters
dep_spec— exact version specifier, e.g."requests==2.31.0"
Example Request
{
"jsonrpc": "2.0",
"method": "tools/call",
"id": 2,
"params": {
"name": "is_vulnerable",
"arguments": {
"name": "requests==2.19.1"
}
}
}
Example Response:
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"content": [],
"structuredContent": {
"package": "requests",
"version": "2.19.1",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
},
{
"cvss_score": 5.6,
"id": "GHSA-9wx4-h78v-vm56",
"severity": "(Medium):",
"summary": "Requests Session object does not verify requests after making first request with verify=False",
"url": "https://osv.dev/vulnerability/GHSA-9wx4-h78v-vm56"
},
{
"cvss_score": 6.1,
"id": "GHSA-j8r2-6x86-q33q",
"severity": "(Medium):",
"summary": "Unintended leak of Proxy-Authorization header in requests",
"url": "https://osv.dev/vulnerability/GHSA-j8r2-6x86-q33q"
},
{
"cvss_score": 7.5,
"id": "GHSA-x84v-xcm2-53pg",
"severity": "(High):",
"summary": "Insufficiently Protected Credentials in Requests",
"url": "https://osv.dev/vulnerability/GHSA-x84v-xcm2-53pg"
},
{
"cvss_score": null,
"id": "PYSEC-2018-28",
"severity": null,
"summary": "",
"url": "https://osv.dev/vulnerability/PYSEC-2018-28"
},
{
"cvss_score": null,
"id": "PYSEC-2023-74",
"severity": null,
"summary": "",
"url": "https://osv.dev/vulnerability/PYSEC-2023-74"
}
],
"vulnerable": true
},
"isError": false
}
}
lookup
Look up a package by name and optional version specifier to find which versions are available and whether they have known vulnerabilities. Supports specifiers such as "requests", "numpy>=2.0", or "flask==3.0.0".
Parameters
dep_specs— package name or version specifiercvss_threshold— filter to vulnerabilities at or above this CVSS score (0–10)max_observed_score— return only the highest CVSS score per version rather than all individual vulnerabilitiescount— limit the number of recent versions checkedretain_passing— include versions with no known vulnerabilities in the results
Example Request
{
"jsonrpc": "2.0",
"method": "tools/call",
"id": 2,
"params": {
"name": "lookup",
"arguments": {
"name": "requests>=2.32.0",
"retain_passing": true
}
}
}
Example Response:
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"content": [],
"structuredContent": {
"package": "requests",
"versions": [
{
"version": "2.32.0",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
}
],
"vulnerable": true
},
{
"version": "2.32.1",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
}
],
"vulnerable": true
},
{
"version": "2.32.2",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
}
],
"vulnerable": true
},
{
"version": "2.32.3",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
}
],
"vulnerable": true
},
{
"version": "2.32.4",
"vulnerabilities": [],
"vulnerable": false
},
{
"version": "2.32.5",
"vulnerabilities": [],
"vulnerable": false
}
]
},
"isError": false
}
}
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Categories
Registryactive
TransportHTTP
UpdatedFeb 26, 2026
