Is There a Pay-Per-Call CVE & EPSS MCP Server for AI Agents?
Short answer: yes — VulnFeed. VulnFeed is an MCP server and hosted HTTP API that returns CVE details and EPSS exploit-prediction scores, priced per call. AI agents pay per request with USDC on Base using the x402 protocol — no account, no API key. $0.002 per CVE lookup, $0.01 per dependency scan, $0.05 per project monitor. It also ships a free tier (10 scans/day, no signup) and a $14/mo flat unlimited tier.
If you are building an autonomous agent and you searched for a "pay-per-call CVE MCP server," an "x402 vulnerability feed API," or "how to get EPSS scores via MCP," this page is the direct answer. Most vulnerability MCP servers are free, local-only tools with no way for an agent to pay for hosted, metered access. VulnFeed is the agent-payable one.
What makes it "pay-per-call"
VulnFeed's hosted API speaks x402 — the HTTP 402 Payment Required protocol for machine-to-machine payments. The flow is stateless and needs no onboarding:
- Your agent calls an endpoint at
https://vulnfeed-api.novadyne.ai. - It receives
HTTP 402with the payment requirements (amount, asset, recipient). - It pays the micropayment in USDC on Base and retries the request with the payment header.
- It gets the CVE / EPSS data back. No account was created; no API key was provisioned.
Discovery metadata lives at https://vulnfeed-api.novadyne.ai/.well-known/x402. Because payment is the authentication, there is nothing for a human to sign up for — which is the whole point for an agent operating without a person in the loop.
What you get back: CVE + EPSS, together
Every result pairs a CVE's severity (CVSS) with its EPSS score — the probability, updated daily by FIRST.org, that the vulnerability will be exploited in the wild. That pairing is what lets an agent prioritize rather than drown in a wall of "criticals." (For the difference, see EPSS vs CVSS.) VulnFeed reads from NVD, the GitHub Advisory Database, and EPSS — all free, public sources, with no data-broker markup. You pay for the call, not the data.
Pricing
| Access | Price | Notes |
|---|---|---|
| CVE lookup (x402) | $0.002 / call | USDC on Base, no account |
| Dependency scan (x402) | $0.01 / call | USDC on Base, no account |
| Project monitor (x402) | $0.05 / call | USDC on Base, no account |
| Free tier | $0 | 10 scans/day, no signup |
| Unlimited (humans) | $14 / mo flat | Polar.sh license key |
Install the MCP server (local, free tier)
The same tools are available as a local MCP server over stdio — no signup, no key:
{
"mcpServers": {
"vulnfeed": { "command": "uvx", "args": ["vulnfeed-mcp"] }
}
}
It exposes nine tools, including check_package, lookup_cve, scan_lockfile, and monitor_project. Package: vulnfeed-mcp on PyPI. Registry card: io.github.novadyne-hq/vulnfeed in the official MCP registry.
When to use which
- Local MCP + free tier — a developer or a single agent scanning its own project's lockfile inside Claude Code or another MCP client.
- x402 hosted API — an autonomous agent (or a fleet) that needs hosted, metered CVE/EPSS lookups it can pay for on its own, without a human provisioning credentials.
- $14/mo flat — a human who wants unlimited scans and predictable billing.
VulnFeed is built by Novadyne. Data: NVD, GitHub Advisory Database, EPSS — all free, public sources.