3 posts tagged with "Python"

Your vulnerability scanner dumps 200 CVEs. You sort by CVSS score. The CVSS 9.8 at the top gets your attention. You patch it first.

Meanwhile, a CVSS 5.0 three pages down is in active ransomware campaigns. CISA added it to the Known Exploited Vulnerabilities catalog last week. EPSS gives it an 80% exploitation probability. Nobody looked at it because it was page three.

CVSS tells you how bad a vulnerability could be. It says nothing about whether anyone is actually exploiting it. For that, you need two more data sources — and nobody combines all three in one place.

Until now. vulnerability-intelligence-mcp is an open-source MCP server that pulls from NIST NVD, CISA KEV, and FIRST.org EPSS, computes a composite risk score, and gives your AI 30 tools for CVE analysis, watchlist tracking, and scanner triage.

MCP Apps look simple in the spec. Your tool returns HTML, the host renders it in an iframe, the user sees a dashboard instead of a wall of JSON. Build one app, it works everywhere.

In practice, I've shipped MCP Apps to both ChatGPT and Claude over the past few months and learned that "works everywhere" requires handling a surprising number of sharp edges — iframe sandboxing, data format differences, a picky initialization handshake, and an interactive tool-calling pattern that's barely documented anywhere.

Here's everything I've learned, with the exact code for each one.

My first MCP server took three hours to get working because I made every possible mistake: no logging, broke stdio with print statements, forgot to restart Claude Desktop, and wondered why nothing worked. Your first one should take 30 minutes.

This is what actually works, with the debugging steps I wish I'd known upfront.