mlab is the official command-line client for the mlab.sh
threat-intelligence platform and its companion CVE API at
vuln.mlab.sh.
It lets you scan domains, look up IPs, analyse files, inspect SSL certificates, check cryptocurrency addresses, and search the CVE database — all from a single keyboard-driven tool with pretty terminal output or raw JSON for scripting.
$ mlab scan domain example.com
$ mlab cve detail CVE-2024-3094
$ mlab limits
brew tap mlab-sh/mlab-cli https://github.com/mlab-sh/mlab-cli
brew install mlabDownload the right tarball for your platform from the
releases page and drop the
binary into a directory on your PATH:
tar xzf mlab-darwin-arm64.tar.gz
sudo mv mlab /usr/local/bin/Pre-built archives are published for:
mlab-darwin-arm64— macOS Apple Siliconmlab-darwin-amd64— macOS Intelmlab-linux-amd64— Linux x86_64 (glibc)mlab-linux-arm64— Linux aarch64 (glibc)
git clone https://github.com/mlab-sh/mlab-cli
cd mlab-cli
cargo install --path .Requires Rust 1.74+.
The mlab.sh endpoints require an API key. Generate one from your account at https://mlab.sh and run:
mlab loginThe key is stored in ~/.mlab/conf.yml. You can verify it with:
mlab whoamiThe CVE endpoints on vuln.mlab.sh are public and require no authentication.
| Sub-command | Endpoint | Description |
|---|---|---|
scan domain <domain> |
POST /api/v1/scan/domain |
Launch a full domain scan, poll until completion, render the report |
scan ip <ip> |
GET /api/v1/scan/ip |
Geo, ASN and threat intel for an IPv4/IPv6 address |
scan file <path> |
POST /api/v1/upload/file |
Upload a file (≤ 10 MB) for analysis |
scan crypto <address> |
GET /api/v1/scan/crypto |
Threat intel for a blockchain address (--chain eth/btc/...) |
Common flags:
--json— emit raw JSON (good for piping intojq)--no-follow(domain only) — fire the scan and exit immediately
mlab status domain example.commlab results domain example.com
mlab results file <sha256>mlab ssl example.commlab limits # show all (domain, ip, file, crypto)
mlab limits domain # one scan type
mlab limits ip --raw # raw number, easy to scriptmlab cve search openssl --severity HIGH
mlab cve search "remote code execution" --date-start 2025-01-01 --exact
mlab cve detail CVE-2024-3094
mlab cve latestAll cve commands accept --json. The detail view shows CVSS score & vector,
EPSS probability, CISA KEV status, weaknesses (CWE) and references.
| Flag | Description |
|---|---|
--hostname <url> |
Override the mlab.sh API host (default https://mlab.sh) |
--cve-hostname <url> |
Override the CVE API host (default https://vuln.mlab.sh) |
Useful for self-hosted deployments or staging environments.
~/.mlab/conf.yml:
hostname: https://mlab.sh
api_key: <your key>You can edit it by hand; mlab login will rewrite it.
Scan a domain and dump the JSON report into a file:
mlab scan domain example.com --json > example.jsonList the 5 highest-scoring CVEs published last week:
mlab cve latest --json | jq '.cves | sort_by(-.cvss_score) | .[:5] | .[].id'Quick check that you have crypto quota left:
mlab limits crypto --rawTagged commits (v*) trigger a GitHub Actions build that produces:
- Static-TLS binaries for the four supported targets, packaged as
.tar.gz - A GitHub Release with auto-generated notes and the tarballs attached
- An auto-bumped
Formula/mlab.rbcommitted back tomain, sobrew upgrade mlabpicks the new version up on the next refresh
To cut a release:
# bump version in Cargo.toml, commit, then:
git tag v0.2.0
git push origin v0.2.0You can also trigger the workflow manually from the Actions tab.
Apache-2.0 — see LICENSE.