{"service":"tweetfeed-mcp","protocol":"Model Context Protocol (MCP)","protocolVersion":"2025-03-26","transport":"HTTP JSON-RPC 2.0 (POST)","endpoint":"https://mcp.tweetfeed.live/","tools":[{"name":"query_iocs","description":"Query the TweetFeed API for Indicators of Compromise (IOCs: URLs, domains, IPs, MD5/SHA256 hashes) shared by the infosec community on Twitter/X. Returns matching rows with date, researcher handle, type, value, tags, and tweet URL. All data CC0 licensed. The 'year' time window is not supported here (too large for a tool response) - use the /v1/year HTTP redirect directly if you need it."},{"name":"check_url","description":"Check whether a URL (or substring) appears in the TweetFeed corpus over the past 30 days. Useful for confirming if an observed URL has been flagged by the public infosec Twitter/X community. Case-insensitive substring match against the 'value' field of type=url IOCs. Returns matching rows with date, researcher handle, value, tags, and source tweet URL."},{"name":"check_ip","description":"Check whether an IP address appears in the TweetFeed corpus over the past 30 days. Useful for confirming if an observed IP has been flagged as attacker infrastructure (C2, scanner, phishing host) by the public infosec Twitter/X community. Substring match against the 'value' field of type=ip IOCs (so '1.2.3' will also match '1.2.3.4'). Pass a full IPv4 / IPv6 string for an exact-match feel."},{"name":"check_hash","description":"Check whether a file hash (MD5 or SHA-256) appears in the TweetFeed corpus over the past 30 days. Useful for confirming if a binary sample has been shared by the public infosec Twitter/X community. Hash type auto-detected from length (32 hex = MD5, 64 hex = SHA-256). Exact match on hex value, case-insensitive."},{"name":"list_recent_iocs","description":"List TweetFeed IOCs added since a given date, useful for delta-syncing a blocklist or Threat Intelligence pipeline. Source is the 30-day month window so 'since' must be within the past 30 days; older queries return only the part within the month window. Optional 'type' and 'tag' filters narrow the result. Sorted newest first."},{"name":"get_tag_info","description":"Bundle of TweetFeed activity for a single tag: aggregate counts across today/week/month/year windows plus the most recent IOCs. Saves the agent from making three separate calls to assemble a tag overview. Tag can be passed with or without a leading '#'."},{"name":"get_trending","description":"Top tags and IOC-type distribution for a given time window, computed from the live counts.json aggregate. Useful for 'what is the infosec community talking about right now' or 'which malware family is spiking this week' queries. Source: https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/counts.json (regenerated every 15 min)."},{"name":"enrich_ioc","description":"Look up an IOC value across the past 30 days of TweetFeed with auto-detected type (URL / domain / IP / MD5 / SHA-256). Returns all matching rows including researcher attribution and tags. Saves the agent from having to pick the right check_X tool when the type is uncertain. Falls back to substring search for URLs."}],"docs":"https://tweetfeed.live/api.html","license":"CC0-1.0 (IOC data)","source":"https://github.com/0xDanielLopez/tweetfeed-mcp"}