I built this because I kept asking Claude to check my dependencies for known vulns and it would either make up CVEs or tell me to go run something myself. VulnFeed is an MCP server that gives an agent real, current vulnerability data it can actually call.

The useful bit in one line: point it at a `package-lock.json` / `requirements.txt` / `go.sum` / etc. and it returns the known CVEs, each scored by EPSS (the probability it'll actually be exploited — so you triage the 2 that matter instead of the 40 that don't), plus the fixed version.

Try it in 10 seconds, no signup, no key:

    curl -s -X POST https://vulnfeed-api.novadyne.ai/vulnscan/query \
      -H "Content-Type: application/json" \
      -d '{"packages":[{"name":"lodash","version":"4.17.4","ecosystem":"npm"}]}'

Or wire it into Claude / any MCP client:

    {"mcpServers":{"vulnfeed":{"command":"uvx","args":["vulnfeed-mcp"]}}}

then ask it to "scan my package-lock.json."

Boring details: the client is MIT (github.com/novadyne-hq/vulnfeed-mcp, on PyPI as `vulnfeed-mcp`). Scanning is free. Two of the nine tools — detailed single-CVE lookup and continuous project monitoring — are paid; you can pay per call with no account at all (HTTP 402 micropayment) or subscribe, so there's no signup wall just to try it. The hosted backend is closed for now.

I'd genuinely like feedback on three things: (1) what tools are missing that you'd want your agent to have, (2) does per-call vs subscription pricing make sense here, (3) how's the data freshness / any false positives you hit.