The keyless MCP server that gives Cursor live versions and CVEs.
Add one line to Cursor's mcp.json and the agent can look up the latest stable version of a runtime, check whether a dependency has known CVEs, and pull the actively-exploited list - at the moment it writes code, not from training data.
The call
The same tools the MCP exposes are reachable over a keyless HTTP batch - here Cursor checks the current Python release line, whether lodash 4.17.10 has known CVEs, and the actively-exploited list. Each result carries source, observed-at and freshness.
curl -s -X POST https://dynamicfeed.ai/v1/batch \
-H 'Content-Type: application/json' \
-d '{"calls":[
{"tool":"software_version","args":{"product":"python"}},
{"tool":"check_vulnerability","args":{"package":"lodash","version":"4.17.10","ecosystem":"npm"}},
{"tool":"exploited_vulnerabilities","args":{}}
]}'Sample response
// Cursor: ~/.cursor/mcp.json (or .cursor/mcp.json in a project)
{
"mcpServers": {
"dynamic-feed": {
"url": "https://dynamicfeed.ai/mcp"
}
}
}Why live data
Cursor speaks MCP over Streamable HTTP, so you point it at one URL and the editor's agent gets a toolbox it can call mid-task. That matters for dependency work: a model's training data has a cutoff, so it guesses at the latest stable version and at which CVEs apply - and guesses go stale the day after release. These tools read live sources (endoflife.date for versions, the OSV.dev corpus for package CVEs, the CISA KEV catalog for what is actively exploited) so the agent answers from current data instead of memory. Every datapoint comes back Ed25519-signed and provenance-stamped with source, observed-at and freshness. Be precise about what that signature means: it is proof-of-existence and tamper-evidence - it proves we served this exact value at that time and that the bytes were not altered in transit. It is not a claim that the value is true, accurate or safe. You still verify the fact; the signature just makes the record auditable.
Use it for
- Have Cursor confirm the latest stable version of a runtime before it pins a dependency
- Let the agent check a package and version against known CVEs while editing package.json
- Surface actively-exploited vulnerabilities (CISA KEV) in a security review
- Ground answers in a citeable, signed record instead of training-cutoff guesses
FAQ
Do I need an API key for Cursor?
No. The MCP endpoint at https://dynamicfeed.ai/mcp is keyless and free for fair use. Add the URL to mcp.json and Cursor connects - there is no key field to fill in.
Where does the version and CVE data come from?
Software versions and end-of-life dates come from endoflife.date; package CVE checks query the OSV.dev corpus; the actively-exploited list is the CISA KEV catalog enriched with EPSS scores. Every result is stamped with its source, observed-at time and freshness so you can cite it.
Does the Ed25519 signature mean the data is correct?
No. The signature is proof-of-existence and tamper-evidence - it proves we served that exact value at that time and that it was not altered. It is not a truth, accuracy or safety claim. Verify the fact itself; the signature just makes the record auditable.