{ "serverInfo": { "name": "tweetfeed-mcp", "version": "0.1.0", "description": "MCP server exposing the public TweetFeed IOC feed (URLs, domains, IPs, MD5/SHA-256 hashes shared by the infosec community on Twitter/X) as agent tools." }, "transport": { "type": "streamable-http", "endpoint": "https://mcp.tweetfeed.live/" }, "capabilities": { "tools": {} }, "protocolVersion": "2025-03-26", "license": "CC0-1.0 (data); MIT (server source)", "source": "https://github.com/0xDanielLopez/tweetfeed-mcp", "documentation": "https://tweetfeed.live/agents.html", "tools": [ { "name": "query_iocs", "description": "Query the TweetFeed API for Indicators of Compromise (IOCs: URLs, domains, IPs, MD5/SHA256 hashes) shared by the infosec community on Twitter/X. Returns matching rows with date, researcher handle, type, value, tags, and tweet URL. Required: time (today/week/month). Optional: user, tag, type, limit." }, { "name": "check_url", "description": "Check whether a URL (or substring) appears in the TweetFeed corpus over the past 30 days. Useful for confirming if an observed URL has been flagged by the public infosec Twitter/X community. Case-insensitive substring match." }, { "name": "check_ip", "description": "Check whether an IP address appears in the TweetFeed corpus over the past 30 days. Useful for confirming if an observed IP has been flagged as attacker infrastructure (C2, scanner, phishing host). Substring match against the value field of type=ip IOCs." }, { "name": "check_hash", "description": "Check whether a file hash (MD5 or SHA-256) appears in the TweetFeed corpus over the past 30 days. Hash type auto-detected from length (32 hex = MD5, 64 hex = SHA-256). Exact match on hex value, case-insensitive." }, { "name": "list_recent_iocs", "description": "List TweetFeed IOCs added since a given date, useful for delta-syncing a blocklist or Threat Intelligence pipeline. Required: since (YYYY-MM-DD). Optional: limit, type, tag. Source is the 30-day month window." }, { "name": "get_tag_info", "description": "Bundle of TweetFeed activity for a single tag: aggregate counts across today/week/month/year windows plus the most recent IOCs. Saves the agent from making three separate calls to assemble a tag overview. Required: tag. Optional: limit." }, { "name": "get_trending", "description": "Top tags and IOC-type distribution for a given window (today/week/month/year), computed from the live counts.json aggregate. Useful for 'what is the community talking about right now' queries. Required: window. Optional: limit." }, { "name": "enrich_ioc", "description": "Look up an IOC value across the past 30 days of TweetFeed with auto-detected type (URL / domain / IP / MD5 / SHA-256). Saves the agent from picking the right check_X tool when the type is uncertain. Required: value." } ], "dataEndpoints": [ { "name": "stix_2_1_bundles", "url": "https://tweetfeed.live/stix/manifest.json", "format": "application/stix+json;version=2.1", "description": "Static STIX 2.1 indicator bundles for SIEM/Threat Intelligence platforms. Manifest indexes today/week/month bundles, each a spec-compliant Bundle of Indicator objects with TLP:CLEAR marking. Regenerated every 15 minutes." }, { "name": "diff_endpoint", "url": "https://api.tweetfeed.live/v1/since/{ISO8601}", "format": "application/json", "description": "Returns IOCs added after the given ISO 8601 timestamp. Same /{filter1}/{filter2} syntax as /v1/{window}. 410 if since > 365d ago, 400 on malformed ISO." }, { "name": "per_tag_rss", "url": "https://tweetfeed.live/rss/tag/{slug}.xml", "format": "application/rss+xml", "description": "One RSS 2.0 feed per active tag (>=1 hit in the last 7 days). Subscribe to a single threat type without polling the firehose." } ] }