DataNexus MCP Server
CVE/SBOM security audits, licence compliance, frontend security scanning, domain intelligence, and public records — 55 tools, no API key required Category: Security (also fits: Compliance, Data)
Documentation
DataNexus MCP
55 tools. One URL. Free tier — no credit card.
Verified public data — CVE/SBOM security audits, licence identification, frontend security scanning, nonprofit 990 filings, federal contracts, NPI lookups, patents, and domain intelligence — delivered as AI-Ready Markdown inside any MCP client.
Connect in 30 seconds:
{
"mcpServers": {
"datanexus": {
"type": "http",
"url": "https://datanexusmcp.com/mcp"
}
}
}
Or via npx (for stdio clients like Claude Desktop):
npx -y @datanexusmcp/mcp-server
Free Tier & API Keys
DataNexus is free to use. Usage is tracked per session.
| Tier | Calls/month | How to activate |
|---|---|---|
| Anonymous | 100 | Just connect — no setup |
| Registered (free) | 500 | Generate a free key (see below) |
Every response includes a usage field showing your current month's count against your limit. When you approach your limit, responses include an upgrade_hint pointing to datanexusmcp.com.
Getting a free API key (5× more calls)
From any MCP client connected to DataNexus:
apikeys_generate_api_key(email="[email protected]")
Returns a dnx_... key. Store it — it is shown only once.
Using your API key
Claude Desktop / HTTP clients:
{
"mcpServers": {
"datanexus": {
"type": "http",
"url": "https://datanexusmcp.com/mcp",
"headers": {
"X-DataNexus-Key": "dnx_your_key_here"
}
}
}
}
npx / stdio clients: pass the key as an environment variable or use the HTTP config above.
Managing your key
| Tool | What it does |
|---|---|
apikeys_generate_api_key(email) | Issue a new key — rate-limited to 3/IP/day |
apikeys_rotate_api_key(current_key) | Revoke old key, issue replacement |
apikeys_revoke_api_key(key) | Permanently revoke a key |
Who Uses DataNexus
Security engineers auditing SBOMs against CISA KEV, triaging CVEs with instant CRITICAL/HIGH/MODERATE/LOW verdicts, scanning CI pipelines for exposed secrets, and checking licence compatibility across their entire dependency list — without leaving their AI client.
Frontend developers catching typosquats against the top-500 frontend corpus, auditing package.json for supply-chain risk before shipping, and getting one-verdict package risk briefs scoped to npm.
Compliance analysts running background checks across IRS, SAM.gov, and NPPES — manually 45 minutes, with DataNexus 4 minutes.
Nonprofit researchers and grant-makers discovering organizations by category, tracking 5-year revenue trends, and running full 990-based due diligence — in one conversation.
M&A and legal teams doing due diligence on organizations — SAM exclusion checks, contract history, NPI verification, and patent portfolio in a single Claude conversation.
5-Minute Quickstart
Copy any of these into Claude after connecting DataNexus:
Register a free API key:
"Generate a DataNexus API key for me using my email address."
Licence compliance audit:
"Check the licences of requests, flask, and numpy. Are they compatible for use in a commercial SaaS product?"
CVE risk triage:
"Get the full risk summary for CVE-2021-44228 — CVSS, CISA KEV status, EPSS probability, and patch availability in one call."
Audit a package.json:
"Audit my package.json for supply-chain risk — check for critical CVEs, licence issues, and abandoned packages."
Scan a GitHub Actions workflow:
"Scan this GitHub Actions workflow for exposed secrets, unpinned actions, and missing lockfile enforcement."
Nonprofit due diligence:
"Find education nonprofits in California, pick one, and show me their 5-year revenue trend."
CVE watch inbox:
"Check all my active CVE watches for new events since my last poll."
Tools (55 total)
API Key Management
| Tool | What it does | Auth |
|---|---|---|
apikeys_generate_api_key | Generate a free dnx_... API key tied to your email. Rate-limited 3/IP/day. Returns key once — store it immediately | None |
apikeys_rotate_api_key | Revoke current key and issue a replacement in one atomic operation | Current key |
apikeys_revoke_api_key | Permanently revoke an API key and invalidate its Redis cache entry | Key to revoke |
Security & Vulnerability Intelligence (T10)
Core CVE & Package Tools
| Tool | What it does | Source | Auth |
|---|---|---|---|
security_fetch_package_vulnerabilities | CVE list for any npm/PyPI/Go/Maven/Cargo package at a specific version. Batch up to 50 packages | OSV.dev | None |
security_fetch_package_licence | SPDX licence identifier for any package version | deps.dev | None |
security_fetch_dependency_graph | Full transitive dependency tree with CVE-flagged transitive deps highlighted via OSV cross-check. Hard timeout 8s | deps.dev + OSV.dev | None |
security_audit_sbom_vulnerabilities | Audit a CycloneDX or SPDX SBOM JSON against OSV.dev. CVEs grouped by package with severity | OSV.dev batch | None |
security_fetch_cve_detail | Full CVE record — CVSS score, description, affected products, patch references | NIST NVD | None |
security_fetch_cisa_kev | Check whether a CVE is in the CISA Known Exploited Vulnerabilities catalog | CISA KEV | None |
security_fetch_cve_epss | EPSS exploit probability (0.0–1.0) for a CVE. >0.7 = patch immediately | FIRST.org EPSS | None |
Package Risk & Supply Chain
| Tool | What it does | Source | Auth |
|---|---|---|---|
security_fetch_package_risk_brief | Single-call SHIP/CAUTION/BLOCK verdict combining CVEs, licence risk, maintainer health, and transitive count | OSV.dev + deps.dev + PyPI/npm | None |
security_fetch_package_maintainer_history | Maintainer ownership timeline and anomaly score. Flags sudden ownership transfers | PyPI + npm | None |
security_detect_typosquatting | DL-distance ≤ 2 against top-10,000 packages. Returns SUSPICIOUS/CLEAN verdict | PyPI + npm stats | None |
security_fetch_cve_watch | Persistent CVE watchlist — create once, check anytime for patch releases, KEV listings, PoC publications | NVD + CISA KEV + OSV | None |
security_audit_sbom_continuous | Register a CycloneDX/SPDX SBOM once, check anytime for new CVEs | OSV.dev | None |
Licence Intelligence & CVE Aggregator
| Tool | What it does | Source | Auth |
|---|---|---|---|
security_fetch_licence_analysis | Plain-English licence explainer. Risk level, obligations, permissions for any SPDX ID. Static bundle covers top-50 | SPDX list | None |
security_audit_licence_compatibility | COMPATIBLE/CONFLICT audit for up to 50 packages or SPDX IDs. Specific conflicting pairs with remediation | SPDX + deps.dev | None |
security_fetch_cve_risk_summary | One-call CVE verdict: CRITICAL_EXPLOIT/HIGH_RISK/MODERATE/LOW/UNKNOWN. Aggregates CVSS + KEV + EPSS in parallel | NVD + CISA + EPSS | None |
Sprint 8B — Backend Security Depth
| Tool | What it does | Source | Auth |
|---|---|---|---|
security_audit_sbom_license_policy | Audit a CycloneDX/SPDX SBOM against a custom SPDX licence policy. Returns PASS/WARN/BLOCK per package. Default policy blocks GPL-3.0/AGPL-3.0. Unlisted licences → WARN | deps.dev | None |
security_fetch_cve_watch_status | Polling inbox for all active CVE watches. Returns only watches with new events since last poll using per-user cursor. First call returns last 30 days | Redis | API key recommended |
Frontend Security (T20)
New in Sprint 8B. Frontend-specific security tools scoped to the npm ecosystem with a curated top-500 frontend package corpus.
| Tool | What it does | Source | Auth |
|---|---|---|---|
frontend_security_detect_typosquatting | Typosquatting detection against the top-500 frontend packages (React, Vite, Axios, Lodash, etc.). DL-distance ≤ 2. Fewer false positives than the full-npm scan | Static corpus | None |
frontend_security_audit_manifest | Audit a package.json for supply-chain risk. Returns SHIP/CAUTION/BLOCK verdict with CVE counts, licence risks, and abandoned packages. Accepts optional package-lock.json for pinned-version accuracy | OSV.dev + deps.dev + npm | None |
frontend_security_audit_ci_pipeline | Scan GitHub Actions, Vercel, or Netlify configs for exposed secrets, unpinned actions, missing lockfile enforcement, and overly broad permissions. ${{ secrets.FOO }} references are never flagged — only literal credential values | Static analysis | None |
frontend_security_fetch_package_risk_brief | npm-scoped SHIP/CAUTION/BLOCK risk brief with frontend-specific signals: weekly_downloads and is_ui_component (detects react-, @mui/, @radix-ui/*, etc.) | OSV.dev + deps.dev + npm | None |
Differentiator vs mcp-security-audit: DataNexus frontend tools return one actionable verdict (SHIP/CAUTION/BLOCK) with licence risk and abandonment signals, not a raw CVE dump.
Nonprofit Intelligence (T04)
| Tool | What it does | Source | Auth |
|---|---|---|---|
nonprofit_fetch_nonprofit_by_ein | Full IRS 990 filing data for any US nonprofit — revenue, expenses, executive compensation, risk flags | ProPublica + IRS e-File | None |
nonprofit_search_nonprofits_by_name | Search US nonprofits by name and optional state filter | ProPublica | None |
nonprofit_fetch_charity_uk | UK registered charity details — income, trustees, activities | UK Charity Commission | None |
nonprofit_fetch_nonprofit_full_profile | Complete due diligence in one call — financials, exec pay, risk flags, health score (0–100), programme ratio, fundraising sustainability | ProPublica + IRS | None |
nonprofit_search_nonprofits_by_category | Search by mission category (education, healthcare, arts, environment, human_services, civil_rights, international, religion, science, sports) or raw NTEE code | ProPublica | None |
nonprofit_fetch_nonprofit_financial_trends | 5-year (up to 10-year) revenue, expense, and asset trends with CAGR and health score history | ProPublica + IRS 990 | None |
Compliance & Identity Verification (T22)
| Tool | What it does | Source | Auth |
|---|---|---|---|
compliance_check_sam_exclusion | Check if an entity is excluded from US federal contracts (debarred) on SAM.gov | SAM.gov | None |
compliance_fetch_npi_provider | NPI provider details — name, specialty, address, taxonomy codes | NPPES NPI Registry | None |
compliance_search_npi_by_name | Search NPI registry by provider name and state | NPPES NPI Registry | None |
compliance_fetch_finra_broker | FINRA BrokerCheck registration, disclosures, and exam history | FINRA BrokerCheck | None |
Domain Intelligence (T07)
| Tool | What it does | Source | Auth |
|---|---|---|---|
domain_fetch_dns_records | A, AAAA, MX, TXT, NS, CNAME records for any domain | Cloudflare DoH | None |
domain_check_email_security | SPF, DMARC, and DKIM validation — misconfiguration flags, A–F grade | Cloudflare DNS | None |
domain_fetch_domain_rdap | Domain registration details — registrar, registrant, creation date | RDAP | None |
domain_fetch_reverse_ip | All domains co-hosted on the same IP address | HackerTarget | None |
domain_fetch_subdomains | Enumerate subdomains via certificate transparency logs | crt.sh | None |
domain_fetch_ssl_certificate_chain | Full SSL certificate chain — issuer, expiry, SANs | crt.sh | None |
domain_fetch_domain_history | Historical SSL certificate issuance timeline | crt.sh | None |
Patent & Legal Intelligence (T11)
| Tool | What it does | Source | Auth |
|---|---|---|---|
legal_fetch_patent_by_number | Full patent record — claims, abstract, filing date, assignees, IPC classifications | EPO / USPTO / WIPO | None |
legal_search_patents_by_keyword | Patent search across EPO, USPTO, and WIPO by keyword or phrase | EPO / USPTO / WIPO | None |
legal_fetch_inventor_portfolio | All patents by a named inventor — portfolio size, filing dates, assignees | EPO / USPTO / WIPO | None |
legal_fetch_patent_citations | Forward and backward citation chains for a patent | EPO / USPTO / WIPO | None |
Government Contracts (T18)
| Tool | What it does | Source | Auth |
|---|---|---|---|
govcon_fetch_vendor_contract_history | Federal contract award history for any vendor | USASpending.gov | None |
govcon_search_contract_awards | Search contract awards by keyword, agency, or PSC code | USASpending.gov | None |
govcon_fetch_open_solicitations | Open contract opportunities currently accepting bids | SAM.gov | None |
Regulatory Intelligence (T19)
| Tool | What it does | Source | Auth |
|---|---|---|---|
regulatory_search_open_rulemakings | Open rulemaking proceedings on Regulations.gov by keyword or agency | Regulations.gov | None |
regulatory_fetch_docket_details | Full docket record — comments, documents, status | Regulations.gov | None |
regulatory_fetch_federal_register_notices | Recent Federal Register notices and rules by agency or keyword | Federal Register | None |
Shared Tools
| Tool | What it does |
|---|---|
search_datanexus_tools | Find the right DataNexus tool for your task by keyword |
report_feedback | Report data quality issues or gaps |
report_mcpize_link | Returns subscription and payment tier status |
validate_tool_output | Validate a tool response for anomalies or schema issues |
Data Sources
| Source | Data | Tools |
|---|---|---|
| ProPublica Nonprofit Explorer | US nonprofit 990 filings, multi-year financials | T04 |
| IRS EO BMF + e-File | US nonprofit registrations and raw 990 data | T04 |
| UK Charity Commission | UK charity registrations | T04 |
| NIST NVD | CVE database with CVSS scores and references | T10 |
| OSV.dev | Open source vulnerability database | T10, T20 |
| CISA KEV | Known exploited vulnerabilities catalog (daily refresh) | T10 |
| FIRST.org EPSS | Exploit prediction scores | T10 |
| deps.dev | Dependency graphs, licences, transitive counts | T10, T20 |
| SPDX licence list | Licence metadata (static bundle + API fallback) | T10 |
| PyPI + npm registries | Maintainer history and download stats | T10, T20 |
| npm downloads API | Weekly download counts for packages | T20 |
| Cloudflare DNS over HTTPS | DNS records and email security | T07 |
| crt.sh | Certificate transparency logs and SSL history | T07 |
| EPO / USPTO / WIPO | Patent databases | T11 |
| USASpending.gov | Federal contract awards | T18 |
| SAM.gov | Contract opportunities and exclusions | T18, T22 |
| Regulations.gov | Open rulemakings and dockets | T19 |
| Federal Register | Agency notices and rules | T19 |
| NPPES NPI Registry | Healthcare provider verification | T22 |
| FINRA BrokerCheck | Broker/adviser registrations | T22 |
Installation
Hosted (recommended — no setup required)
No Docker, no API keys, no configuration.
{
"mcpServers": {
"datanexus": {
"type": "http",
"url": "https://datanexusmcp.com/mcp"
}
}
}
With a registered API key (500 calls/month)
{
"mcpServers": {
"datanexus": {
"type": "http",
"url": "https://datanexusmcp.com/mcp",
"headers": {
"X-DataNexus-Key": "dnx_your_key_here"
}
}
}
}
Via npx (stdio clients — Claude Desktop, Cursor)
npx -y @datanexusmcp/mcp-server
Via npm (programmatic use)
npm install @datanexusmcp/mcp-server
Changelog
v2.4.0 — Sprint 8 (2026-05-30)
10 new tools — API key infrastructure, backend security depth, frontend security wedge
Sprint 8A — API Key Infrastructure:
apikeys_generate_api_key— issue a freednx_...key tied to your email (500 calls/month)apikeys_rotate_api_key— atomic key rotationapikeys_revoke_api_key— immediate revocation + Redis cache invalidation_UsageMiddleware— usage counting injected into every tool response at middleware level. Zero changes to existing tool files- Anonymous tier: 100 calls/month (IP-keyed). Registered tier: 500 calls/month (key-keyed)
PAYMENT_ENABLEDflag: soft gate today → hard 429 when payment is enabled (env var flip, no code change)
Sprint 8B — Sub-category Taxonomy + Backend Security Depth + Frontend Security Wedge:
security_audit_sbom_license_policy— SBOM → PASS/WARN/BLOCK per org licence policy (CycloneDX/SPDX). Default policy blocks GPL-3.0/AGPL-3.0. Unlisted licences default to WARNsecurity_fetch_cve_watch_status— CVE watch polling inbox with per-user cursor. Returns only new events since last pollsecurity_fetch_dependency_graphenhanced —cvs_filtered_transitive_depsfield added: transitive deps with ≥1 open CVE highlighted via OSV.dev cross-checkfrontend_security_detect_typosquatting— DL-distance ≤ 2 against curated top-500 frontend corpusfrontend_security_audit_manifest—package.json→ SHIP/CAUTION/BLOCK with licence risks and abandonment signalsfrontend_security_audit_ci_pipeline— GitHub Actions/Vercel/Netlify secret scanner.${{ secrets.X }}safe refs never flaggedfrontend_security_fetch_package_risk_brief— npm-scoped risk brief withweekly_downloadsandis_ui_componentsignalsCATEGORIES.md— 8-category tool taxonomy added to repo
v2.3.0 — Sprint 7 (2026-05-29)
5 new tools — licence intelligence, CVE aggregator, nonprofit depth
security_fetch_licence_analysis,security_audit_licence_compatibility,security_fetch_cve_risk_summarynonprofit_search_nonprofits_by_category,nonprofit_fetch_nonprofit_financial_trends
v2.2.0 — Sprint 6
6 new tools — package risk, maintainer health, stateful CVE/SBOM monitoring
security_fetch_package_risk_brief,security_fetch_package_maintainer_history,security_detect_typosquattingsecurity_fetch_cve_watch,security_audit_sbom_continuous,nonprofit_fetch_nonprofit_full_profile
v2.1.0 — Sprint 4
Added CISA KEV, EPSS, and SBOM audit tools (35 tools total).
License
DataNexus MCP is licensed under the Business Source License 1.1.
What this means in plain English:
- ✅ Free to use for personal projects, research, and self-hosting your own instance
- ✅ Free to read, modify, and learn from the source code
- ✅ Converts automatically to Apache 2.0 on 2030-06-11 — no strings attached after that
- ❌ Cannot be used to offer a competing hosted data intelligence service without a commercial license
Why BSL and not MIT?
We're building a sustainable hosted service on top of this codebase. BSL lets us keep the source open and auditable — important for a tool handling compliance and security data — while protecting the ability to fund continued development.
If you want to run a commercial service using DataNexus internals, get in touch. If you're self-hosting for your own agents, you're fully covered at no charge.