nvd-cve
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local Python scripts using paths provided by environment variables ($MCP_CALL, $NVD_MCP_SCRIPT, $PYATS_MCP_SCRIPT, $GAIT_MCP_SCRIPT). This is an intended integration pattern for the agent to interact with system-level scripts.
- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by ingesting vulnerability descriptions from the NIST National Vulnerability Database API.
- Ingestion points: Vulnerability descriptions, CWE identifiers, and remediation references are retrieved and processed via the get_cve and search_cve tools.
- Boundary markers: The documentation does not specify the use of delimiters or specific instructions to the agent to disregard instructions potentially embedded within the CVE descriptions.
- Capability inventory: The skill possesses command execution capabilities using the python3 binary to perform its core search and reporting functions.
- Sanitization: There is no documentation regarding the sanitization or escaping of the retrieved external content before it is processed by the agent.
Audit Metadata