Live threat intelligence MCP server — IP lookup, CVE intel, KEV Oracle predictions, malware hashes, pre-attack staging detection. Free, no API key required.
Project description
KeyboardCrumbs MCP Server
mcp-name: com.keyboardcrumbs/mcp
Live threat intelligence tools for Claude Desktop. Free, no API key required.
Tools
| Tool | Description |
|---|---|
check_ip |
Threat intel for any IP — risk score, geo, ASN, C2 associations, staging clusters |
check_cve |
CVE lookup — CVSS, EPSS, KEV status, exploit availability, patch urgency |
check_domain |
Domain intel — DNS records, WHOIS, malware associations, subdomains |
check_hash |
Malware hash lookup via VirusTotal (68+ engines) + CIRCL (6.3B files) |
active_threats |
Live snapshot — KEV count, active C2s, ransomware victims, data freshness |
predict_kev |
KEV Oracle — top CVEs predicted to be added to CISA KEV before it happens |
check_staging |
GhostWatch — detect pre-attack infrastructure staging for an IP or domain |
check_ransomware |
Ransomware group lookup and victim tracking |
Install
Option 1 — uvx (no install needed)
Add to claude_desktop_config.json:
{
"mcpServers": {
"keyboardcrumbs": {
"command": "uvx",
"args": ["--from", "git+https://github.com/keyboardcrumbs/mcp", "keyboardcrumbs-mcp"]
}
}
}
Option 2 — Clone and run locally
git clone https://github.com/keyboardcrumbs/mcp
cd mcp
uv venv && source .venv/bin/activate
uv add "mcp[cli]" httpx
Add to claude_desktop_config.json:
{
"mcpServers": {
"keyboardcrumbs": {
"command": "uv",
"args": ["--directory", "/path/to/mcp", "run", "server.py"]
}
}
}
Restart Claude Desktop.
Example Usage
Once installed, just ask Claude:
- "Is 45.141.26.73 malicious?"
- "Should I patch CVE-2024-3400 immediately?"
- "What CVEs are about to be added to CISA KEV?"
- "Is this domain staging for an attack?"
- "What's the current threat landscape?"
Claude will call the live KeyboardCrumbs API and return real-time threat intelligence.
Data Sources
URLhaus · Feodo Tracker · AlienVault OTX · CISA KEV · NVD · EPSS · ExploitDB · VirusTotal · CIRCL · SANS ISC DShield · Shodan · RIPE · crt.sh · Ransomware.live
Data updates every 15 minutes. No API key. No signup. No rate limits for normal use.
Links
- Dashboard: https://threats.keyboardcrumbs.com
- GhostWatch: https://ghost.keyboardcrumbs.com
- KEV Oracle: https://oracle.keyboardcrumbs.com
- API docs: https://api.keyboardcrumbs.com
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keyboardcrumbs_mcp-1.0.1.tar.gz.
File metadata
- Download URL: keyboardcrumbs_mcp-1.0.1.tar.gz
- Upload date:
- Size: 6.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c5599bb1e3fd30e88969a4f556f29a1458f65bab3e44ff65b29c7a5814f5d9d2
|
|
| MD5 |
8e0a2677707ce72dc01fcc2ca97a0b4e
|
|
| BLAKE2b-256 |
e629715407ce184a96b92b9a3801913dc4a34360c42968030a8eaa05586e0d88
|
File details
Details for the file keyboardcrumbs_mcp-1.0.1-py3-none-any.whl.
File metadata
- Download URL: keyboardcrumbs_mcp-1.0.1-py3-none-any.whl
- Upload date:
- Size: 7.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
31af440ae05045f37867a98b7632d062bfc59e34fd50a59122f817712784c184
|
|
| MD5 |
ba1d4c63cbcf6ac714e9e8bc7b578844
|
|
| BLAKE2b-256 |
fcbaf86e8547bb757d744c763889d87741d011eda83b7cf0371ddbf8bfa23787
|
