Summary
Scans project lockfiles for known vulnerabilities using OSV.dev data, enriched with EPSS exploit probability scores to cut through the noise. Supports nine ecosystems including npm, pip, Go, Rust, and Cargo. Nine tools let you scan entire projects or individual packages, look up CVE details with fix versions, and set up continuous monitoring that diffs against a baseline to surface only new vulnerabilities. Smart filtering suppresses low-EPSS, low-severity CVEs by default. Free tier gives you 10 scans per day with no signup. Paid tier is $14/month for unlimited scans, or pay per scan via x402 micropayments with USDC on Base.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
VulnFeed — Dependency Vulnerability Monitoring for Claude Code
An MCP server that scans your project dependencies for known vulnerabilities, enriches with EPSS exploit probability scores, and recommends fix versions.
Free tier — 10 scans/day, 1 monitored project, no signup required.
Homepage: vulnfeed.novadyne.ai
Install
uvx vulnfeed-mcp
MCP client config
Add to your MCP client config (~/.claude/settings.json for Claude Code, claude_desktop_config.json for Claude Desktop):
Free tier (no signup, no API key):
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"]
}
}
}
Paid ($14/mo, unlimited scans + projects):
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"],
"env": {
"VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"
}
}
}
}
Get a license key at vulnfeed.novadyne.ai.
x402 micropayments
VulnFeed also accepts x402 micropayments — AI agents can pay per scan with USDC on Base, no API key or signup needed. When the free tier limit is reached, the API returns HTTP 402 with payment requirements that x402-compatible clients handle automatically.
- $0.01 per scan
- $0.002 per CVE lookup
- $0.05 per project monitor setup
Tools
Scanning
| Tool | Description |
|---|---|
scan_project | Auto-detect and scan all lockfiles in a directory |
scan_lockfile | Scan a specific lockfile |
check_package | Check a single package for vulnerabilities |
lookup_cve | Detailed CVE info with EPSS + fix versions |
Monitoring
| Tool | Description |
|---|---|
monitor_project | Register for continuous monitoring |
check_alerts | New vulns since last scan |
update_deps | Update snapshot after upgrading packages |
list_monitored | See all monitored projects |
unmonitor_project | Remove from monitoring |
Supported lockfiles
package-lock.json(npm)yarn.lock(Yarn)pnpm-lock.yaml(pnpm)requirements.txt(pip)Pipfile.lock(Pipenv)go.sum/go.mod(Go)Cargo.lock(Rust)Gemfile.lock(Ruby)composer.lock(PHP)
How it works
- Parses your lockfile to extract dependency names + versions
- Queries OSV.dev (NVD + GitHub Advisories) for known CVEs
- Enriches with EPSS exploit probability scores
- Filters noise — suppresses low-EPSS, non-critical CVEs by default
- Sorts by exploitability — most likely to be exploited first
- Returns fix version recommendations from package registries
Smart filtering
By default, VulnFeed suppresses low-priority CVEs (EPSS < 10% AND CVSS < 9.0). This cuts noise by ~80%.
Pass show_all=True to any scan tool to see everything.
Continuous monitoring
monitor_project— takes a baseline snapshot of current deps + known vulnscheck_alerts— diffs against baseline, surfaces only new vulns- Run
check_alertsperiodically to catch newly published CVEs
License
MIT
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
VULNFEED_API_KEYsecretPolar.sh license key for paid tier (optional — free tier works without it)
Categories
Registryactive
Packagevulnfeed-mcp
TransportSTDIO
AuthRequired
UpdatedMay 28, 2026
