VulnFeed — Dependency Vulnerability Monitoring for Claude Code
Know when your dependencies are vulnerable.
An MCP server that reads your lockfile, checks NVD + GitHub Advisories, and tells you what actually matters — prioritized by real-world exploit probability, with exact fix versions.
Free tier — 10 scans/day, no signup. $14/mo for unlimited.
Try free — 2 min setup<br>Go unlimited — $14/mo
> Scan my project for vulnerabilities
Using: scan_project(".")
Scanning package-lock.json... 847 packages
GHSA-29mw-wpgm-hmr9 in [email protected]
Severity: HIGH | EPSS: 73.2% (HIGH) | Fix: upgrade to 4.21.0
Open redirect via malicious URL in res.location()
CVE-2024-29041 in [email protected]
Severity: MODERATE | EPSS: 0.8% (low) | Fix: upgrade to 4.19.2
3 affected packages, 12 vulnerabilities total
Top priority: express — the GHSA-29mw vuln has 73% exploit probability
Why not just ask Claude to check?
It knows your deps
Reads your package-lock.json, requirements.txt, or go.sum and filters to only the CVEs that hit your actual dependency tree. No noise from packages you don't use.
EPSS prioritization
Most CVEs are noise. EPSS (Exploit Prediction Scoring System) scores each one by real-world exploitability. VulnFeed surfaces the ones likely to be used in real attacks.
Fix recommendations
Not just "you're vulnerable" but upgrade express 4.17.1 → 4.21.0. Cross-references npm, PyPI, and Go registries for the exact version that fixes the issue.
Continuous monitoring
Register your project once. Check back any time for new vulnerabilities. New CVE published at 3am? It's in the index by 3:15am for your morning session.
9 tools, one install
Scan a lockfile, check a package, look up a CVE, monitor a project, check alerts, update deps, list projects. Everything a security workflow needs.
Zero upstream cost
Data sources are NVD, GitHub Advisory DB, and EPSS — all free, public APIs. No vendor lock-in, no data broker middlemen. Your $14 pays for the intelligence layer, not data access.
How it compares
Free MCP servers<br>Snyk / Socket<br>VulnFeed
CVE lookup
Knows your deps
EPSS prioritization
Fix recommendations
Continuous monitoring
MCP-native
Free tier<br>✓ (10 scans/day)
x402 micropayments<br>✓ ($0.01/scan)
Price (paid)<br>Free<br>$25-49/dev/mo<br>$14/mo flat
Setup in 2 minutes
Free tier — no signup, no API key
10 scans/day, 1 monitored project. Just add this to your MCP config:
"mcpServers": {<br>"vulnfeed": {<br>"command": "uvx",<br>"args": ["vulnfeed-mcp"]<br>Works in Claude Code, Claude Desktop, Cursor, VS Code, and Windsurf.
Add to Cursor
Add to VS Code
Add to Windsurf
Restart your client. Ask it to scan my project for vulnerabilities. That's it.
Unlimited — $14/mo
Unlimited scans, unlimited monitored projects. Add your license key:
"mcpServers": {<br>"vulnfeed": {<br>"command": "uvx",<br>"args": ["vulnfeed-mcp"],<br>"env": {<br>"VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"<br>Get your license key — flat rate, not per-seat, not per-repo.
Pay-per-scan — x402 micropayments
AI agents can pay per request with USDC on Base — no account, no API key, no subscription. Your agent gets a 402 response, pays $0.01, and gets results. Works with any x402-compatible client.
# Agent sends request, gets HTTP 402 with payment details<br># x402 client library handles payment automatically<br># $0.01 per scan · $0.002 per CVE lookup · $0.05 per monitor
# Discovery endpoint:<br>curl https://vulnfeed-api.novadyne.ai/.well-known/x402<br>Uses the x402 protocol — USDC on Base via Coinbase facilitator. No middleman, instant settlement. View pricing & endpoints.
Start monitoring your dependencies.
Try free — no signup<br>Go unlimited — $14/mo