Skills
skills/transilienceai/communitytools/cve-risk-score/Gen Agent Trust Hub

cve-risk-score

Pass

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's workflow requires the agent to execute a local Python script (tools/nvd-lookup.py) to process CVE lookups.
  • Evidence: SKILL.md specifies the command python3 tools/nvd-lookup.py CVE-XXXX-XXXXX for data retrieval.
  • [EXTERNAL_DOWNLOADS]: The skill connects to the NVD API to fetch vulnerability data. While NIST is a well-known government service, this represents an external network dependency.
  • Evidence: reference/nvd-api-reference.md defines the endpoint https://services.nvd.nist.gov/rest/json/cves/2.0.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data (CVE descriptions and metadata) from an external API and presents it to the agent.
  • Ingestion points: Vulnerability descriptions, CWE labels, and reference URLs from the NVD API response.
  • Boundary markers: Absent; the skill does not specify delimiters or instructions to ignore embedded content in the fetched data.
  • Capability inventory: The agent has shell access to execute the nvd-lookup.py script.
  • Sanitization: No validation or sanitization of the remote API content is described in the skill instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 20, 2026, 11:11 PM