Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
SHODAN_KEYNoShodan API key for host/port/service reconnaissance. Register at https://account.shodan.io/register.
MAX_RETRIESNoNumber of retries on transient errors. Default is 3.
NVD_API_KEYNoNVD API key for faster lookups (50 req/30s vs 5 without key). Free at https://nvd.nist.gov/developers/request-an-api-key.
URLSCAN_KEYNoURLScan.io API key for URL scanning and website analysis. Sign up at https://urlscan.io/user/signup.
GITHUB_TOKENNoGitHub token for increased rate limits (5,000 requests/hour vs 60 without token). Create at https://github.com/settings/tokens.
ABUSEIPDB_KEYNoAbuseIPDB API key for IP reputation lookups. Register at https://www.abuseipdb.com/register.
CACHE_DB_PATHNoPath to the SQLite cache database. Defaults to ~/.cve-mcp/cache.db.
AUDIT_LOG_PATHNoPath to the audit log file. Defaults to ~/.cve-mcp/audit.log.
VIRUSTOTAL_KEYNoVirusTotal API key for file/URL/domain/IP malware scanning. Sign up at https://www.virustotal.com/gui/join-us.
CIRCL_PDNS_PASSNoCIRCL Passive DNS password for authentication. Provided with CIRCL registration.
CIRCL_PDNS_USERNoCIRCL Passive DNS username for historical DNS lookups. Request access at https://www.circl.lu/services/passive-dns/.
REQUEST_TIMEOUTNoHTTP timeout in seconds. Default is 30.
GREYNOISE_API_KEYNoGreyNoise API key for IP noise/scan activity intelligence. Sign up at https://viz.greynoise.io/signup.

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
lookup_cveA

Look up a CVE by ID from NVD. Returns full details including CVSS scores, description, weaknesses, and CISA KEV status.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

search_cvesA

Search NVD for CVEs by keyword and optional severity filter.

Args: query: Keyword to search (letters, numbers, spaces, hyphens, dots — max 200 chars) severity: Optional CVSS v3 severity filter: NONE, LOW, MEDIUM, HIGH, CRITICAL limit: Max results (1–50, default 10)

check_package_vulnsB

Check a package for known vulnerabilities via OSV.dev.

Args: package: Package name (e.g. log4j-core, requests, lodash) ecosystem: Package ecosystem — PyPI, npm, Go, Maven, NuGet, crates.io, Packagist, Hex, RubyGems, Android, CocoaPods, GitHub Actions version: Optional specific version to check (e.g. 2.14.1)

get_epss_scoreB

Get EPSS (Exploit Prediction Scoring System) scores for one or more CVEs.

Args: cve_ids: Comma-separated CVE IDs (e.g. CVE-2021-44228,CVE-2022-22965)

check_kevB

Check if a CVE is in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

parse_cvssA

Parse and explain a CVSS vector string (v2, v3.x, or v4.0).

Args: vector: CVSS vector string (e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

get_cve_summaryA

Get a comprehensive one-page summary of a CVE: severity, EPSS, KEV status, description, weaknesses, and timeline. Fetches NVD + EPSS concurrently.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

health_checkA

Check the health of the CVE MCP server: NVD connectivity, KEV catalog status, cache, risk scoring version, tool manifest hash, and which optional API keys are configured (names only — never the key values).

Note: This tool pings NVD without rate limiting — do not call it in a loop.

check_ip_reputationA

Check an IP address reputation via AbuseIPDB and GreyNoise Community. Returns abuse confidence score, country, ISP, Tor status, and noise classification.

Args: ip: IPv4 or IPv6 address to check (e.g. 1.2.3.4 or 2001:db8::1)

get_domain_intelC

Get domain intelligence: certificate transparency logs (crt.sh) and passive DNS records (CIRCL PDNS). Returns subdomains and certificate history.

Args: domain: Domain name to investigate (e.g. example.com)

passive_dns_lookupA

Query CIRCL Passive DNS for historical DNS resolutions of an IP or domain. Shows what hostnames have resolved to this IP, or what IPs a domain has pointed to.

Args: ip_or_domain: IPv4/IPv6 address or domain name to query

shodan_host_lookupA

Look up a host on Shodan: open ports, running services, OS, CVEs on the host. Requires SHODAN_KEY environment variable.

Args: ip: IPv4 address to look up (e.g. 8.8.8.8)

lookup_file_hashB

Look up a file hash (MD5/SHA1/SHA256) against MalwareBazaar and VirusTotal. Returns malware family, detection stats, and file metadata.

Args: hash_str: MD5 (32 hex), SHA1 (40 hex), or SHA256 (64 hex) hash

check_url_safetyA

Check a URL or domain for malicious activity via URLScan.io. Returns scan verdicts, malicious flag, score, and categories.

Args: url_or_domain: URL (https://example.com/path) or bare domain (example.com)

lookup_malware_familyA

Look up an IOC (IP, domain, URL, or hash) against ThreatFox for malware family attribution. Returns confidence level, IOC type, and threat classification.

Args: ioc: Indicator of Compromise — IP address, domain, URL, MD5/SHA256 hash

check_ransomware_intelA

Check if a Bitcoin address is associated with a known ransomware family using the Ransomwhere database.

Args: bitcoin_address: Bitcoin wallet address to look up (P2PKH, P2SH, or bech32)

get_vendor_advisoryA

Fetch vendor security advisories for a CVE from Microsoft (MSRC), Red Hat, and Ubuntu. Shows patch availability and affected products.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

check_exploit_availabilityA

Search GitHub for public proof-of-concept (PoC) exploit repositories for a CVE. Results are sorted by star count to surface the most credible exploits first.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

get_attack_mappingA

Map a CVE to MITRE ATT&CK techniques and associated threat groups. Downloads the ATT&CK dataset lazily (cached 24h). Searches technique descriptions and references for the CVE ID.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

get_cve_timelineA

Build a complete CVE lifecycle timeline: NVD publication date, EPSS score history, CISA KEV addition date, patch lag, and exploit window estimation.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

scan_dependenciesA

Bulk scan application dependencies for known CVEs via OSV.dev. Supports requirements.txt (PyPI), package.json (npm), pom.xml (Maven), or generic 'name:ecosystem:version' lines. Returns only vulnerable packages.

Args: dependency_list: Raw contents of requirements.txt, package.json, pom.xml, or newline-separated 'name:ecosystem:version' entries. Max 1000 packages per call.

scan_container_packagesA

Scan container image packages (Alpine, Debian, Ubuntu OS packages) for known CVEs via OSV.dev. Input should be 'name:ecosystem:version' lines, one package per line, e.g. from 'apk info -v' or 'dpkg -l' output.

Supported ecosystems: Alpine, Debian, Ubuntu, and any OSV-supported ecosystem.

Args: packages: Newline-separated 'name:ecosystem:version' entries. Example: openssl:Alpine:3.0.7-r0 musl:Alpine:1.2.4_r2 libssl3:Debian:3.0.7-1

scan_repo_secretsA

Search GitHub public repositories for potential exposed credentials or secrets related to a search term (CVE ID, tool name, or keyword). Requires GITHUB_TOKEN for best results. For security research only.

Args: search_term: CVE ID, tool name, or keyword to search for in public repo files (e.g. CVE-2024-1234, AWS_SECRET_ACCESS_KEY, log4j)

check_poc_existsB

Search for proof-of-concept exploits across GitHub, Exploit-DB, and Nuclei templates.

calculate_risk_scoreB

Calculate a composite 0-100 risk score using CVSS, EPSS, KEV, and PoC data.

generate_vuln_reportC

Generate a vulnerability report in executive, technical, or full format.

compare_cvesB

Compare multiple CVEs by risk score and generate a patch priority ranking.

triage_cveA

One-call CVE triage orchestrator (v0.2.0).

Fans out the relevant upstream sources concurrently — NVD (with a transparent VulnCheck NVD++ fallback when NVD fails), EPSS, the CISA KEV catalog, and (for depth != "quick") public PoC/exploit discovery — then computes the composite risk score (KEV hard-override applies: a KEV-listed CVE is always CRITICAL with score >= 76). For depth == "deep" it additionally emits an SSVC v2 gated decision (Act / Attend / Track* / Track).

Args: cve_id: CVE identifier (e.g. CVE-2021-44228). depth: "quick" — NVD + EPSS + KEV (no PoC search; fastest), "standard" — adds PoC/exploit discovery (default), "deep" — adds an SSVC v2 qualitative decision.

Prompts

Interactive templates invoked by user choice

NameDescription
patch_decisionDecide whether to patch a CVE now, using the triage_cve orchestrator.
compare_and_prioritizeRank several CVEs for patch priority using triage_cve / compare_cves.
dependency_triageTriage CVEs surfaced by a dependency/container scan via triage_cve.

Resources

Contextual data attached and managed by the client

NameDescription
kev_catalog_resourceSummary of the pre-warmed CISA Known Exploited Vulnerabilities (KEV) catalog held in server memory: total entry count, ransomware-linked count, and the most recently added entries.
tool_manifest_resourceStable SHA-256 over the canonical JSON of every registered tool's {name, description, inputSchema}, sorted by name. Lets a client pin and verify the server's tool surface (detects added/removed/renamed tools or changed argument schemas).

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mukul975/cve-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server