Can I use FIRST EPSS as a CLI?

Yes. KosmoKrator exposes a FIRST EPSS CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose FIRST EPSS through MCP?

Yes. The KosmoKrator MCP gateway can expose selected FIRST EPSS tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are FIRST EPSS credentials stored?

FIRST EPSS credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for FIRST EPSS MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

FIRST EPSS Lua API for KosmoKrator Agents

Agent-facing Lua documentation and function reference for the FIRST EPSS KosmoKrator integration.

Lua Namespace

Agents call this integration through app.integrations.first_epss.*. Use lua_read_doc("integrations.first-epss") inside KosmoKrator to discover the same reference at runtime.

Call Lua from the Headless CLI

Use kosmo integrations:lua when a shell script, CI job, cron job, or another coding CLI should run a deterministic FIRST EPSS workflow without starting an interactive agent session.

Inline Lua call

kosmo integrations:lua --eval 'dump(app.integrations.first_epss.query({}))' --json

Read Lua docs headlessly

kosmo integrations:lua --eval 'print(docs.read("first-epss"))' --json
kosmo integrations:lua --eval 'print(docs.read("first-epss.query"))' --json

Workflow file

Put repeatable logic in a Lua file, then execute it with JSON output for the calling process.

workflow.lua

local first_epss = app.integrations.first_epss
local result = first_epss.query({})

dump(result)

Run the workflow

kosmo integrations:lua workflow.lua --json
kosmo integrations:lua workflow.lua --force --json

Namespace note. integrations:lua exposes app.integrations.first_epss, app.mcp.*, docs.*, json.*, and regex.*. Use app.integrations.first_epss.default.* or app.integrations.first_epss.work.* when you configured named credential accounts.

MCP-only Lua

If the script only needs configured MCP servers and does not need FIRST EPSS, use the narrower mcp:lua command.

MCP Lua command

# Use mcp:lua for MCP-only scripts; use integrations:lua for this integration namespace.
kosmo mcp:lua --eval 'dump(mcp.servers())' --json

Agent-Facing Lua Docs

This is the rendered version of the full Lua documentation exposed to agents when they inspect the integration namespace.

FIRST EPSS

Namespace: first-epss

Use this integration to query FIRST’s Exploit Prediction Scoring System (EPSS) for CVE exploitation probability and percentile rankings. EPSS scores are published daily and estimate the probability that a CVE will be exploited in the wild in the next 30 days.

Authentication

The FIRST EPSS API is public and requires no credentials.

Tools

first_epss_query: general EPSS API query with official parameters such as cve, cves, date, scope, epss_gt, percentile_gt, order, limit, offset, and fields.
first_epss_cve: score lookup for one CVE, optionally on a date.
first_epss_batch: score lookup for multiple CVEs, optionally on a date.
first_epss_time_series: time-series scores for one CVE. If date is set, the series runs up to that date.
first_epss_top: top CVEs ordered by descending EPSS probability or percentile.
first_epss_threshold: CVEs above an EPSS or percentile threshold.
first_epss_historical_csv_url: returns the official daily CSV gzip URL for a historical date without downloading the large file.

Return Notes

The API returns FIRST’s response envelope intact: status, status-code, version, access, total, offset, limit, and data. EPSS rows contain string values for cve, epss, percentile, and date.

epss is a probability between 0 and 1. percentile is the CVE’s rank relative to other CVEs for the same scoring date.

Examples

local score = tools.first_epss_cve({
  cve = "CVE-2022-27225"
})

local batch = tools.first_epss_batch({
  cves = {"CVE-2022-27225", "CVE-2022-27223"},
  date = "2022-03-05"
})

local urgent = tools.first_epss_threshold({
  epss_gt = 0.95,
  limit = 100
})

Use EPSS alongside asset exposure, CISA KEV, CVSS, vendor guidance, and local compensating controls. A high EPSS score means likely exploitation, not automatic business impact.

Raw agent markdown

# FIRST EPSS

Namespace: `first-epss`

Use this integration to query FIRST's Exploit Prediction Scoring System (EPSS)
for CVE exploitation probability and percentile rankings. EPSS scores are
published daily and estimate the probability that a CVE will be exploited in the
wild in the next 30 days.

## Authentication

The FIRST EPSS API is public and requires no credentials.

## Tools

- `first_epss_query`: general EPSS API query with official parameters such as
  `cve`, `cves`, `date`, `scope`, `epss_gt`, `percentile_gt`, `order`, `limit`,
  `offset`, and `fields`.
- `first_epss_cve`: score lookup for one CVE, optionally on a date.
- `first_epss_batch`: score lookup for multiple CVEs, optionally on a date.
- `first_epss_time_series`: time-series scores for one CVE. If `date` is set,
  the series runs up to that date.
- `first_epss_top`: top CVEs ordered by descending EPSS probability or
  percentile.
- `first_epss_threshold`: CVEs above an EPSS or percentile threshold.
- `first_epss_historical_csv_url`: returns the official daily CSV gzip URL for
  a historical date without downloading the large file.

## Return Notes

The API returns FIRST's response envelope intact: `status`, `status-code`,
`version`, `access`, `total`, `offset`, `limit`, and `data`. EPSS rows contain
string values for `cve`, `epss`, `percentile`, and `date`.

`epss` is a probability between 0 and 1. `percentile` is the CVE's rank relative
to other CVEs for the same scoring date.

## Examples

```lua
local score = tools.first_epss_cve({
  cve = "CVE-2022-27225"
})

local batch = tools.first_epss_batch({
  cves = {"CVE-2022-27225", "CVE-2022-27223"},
  date = "2022-03-05"
})

local urgent = tools.first_epss_threshold({
  epss_gt = 0.95,
  limit = 100
})
```

Use EPSS alongside asset exposure, CISA KEV, CVSS, vendor guidance, and local
compensating controls. A high EPSS score means likely exploitation, not automatic
business impact.

Metadata-derived Lua example

local result = app.integrations.first_epss.query({})
print(result)

Functions

query Read

Run a general EPSS API query with official parameters.

Lua path: app.integrations.first_epss.query
Full name: first-epss.first_epss_query

Parameter	Type	Required	Description
No parameters.

cve Read

Get EPSS score for one CVE.

Lua path: app.integrations.first_epss.cve
Full name: first-epss.first_epss_cve

Parameter	Type	Required	Description
No parameters.

batch Read

Get EPSS scores for multiple CVEs.

Lua path: app.integrations.first_epss.batch
Full name: first-epss.first_epss_batch

Parameter	Type	Required	Description
No parameters.

time_series Read

Get EPSS time-series scores for one CVE.

Lua path: app.integrations.first_epss.time_series
Full name: first-epss.first_epss_time_series

Parameter	Type	Required	Description
No parameters.

top Read

List highest EPSS or percentile CVEs.

Lua path: app.integrations.first_epss.top
Full name: first-epss.first_epss_top

Parameter	Type	Required	Description
No parameters.

threshold Read

List CVEs above EPSS or percentile thresholds.

Lua path: app.integrations.first_epss.threshold
Full name: first-epss.first_epss_threshold

Parameter	Type	Required	Description
No parameters.

historical_csv_url Read

Return the official historical daily EPSS CSV gzip URL for a date.

Lua path: app.integrations.first_epss.historical_csv_url
Full name: first-epss.first_epss_historical_csv_url

Parameter	Type	Required	Description
No parameters.