cve risk score

Skill

Retrieve CVE risk scores from NVD. Auto-invoked whenever a CVE ID is mentioned to display CVSS score, severity, CWE, and description.

Files2
  • @skills/cve-risk-score/SKILL.md
  • @skills/cve-risk-score/reference/nvd-api-reference.md

CVE Risk Score

Fetch and display CVE risk scores from the National Vulnerability Database (NVD) whenever a CVE ID appears in conversation.

Trigger

This skill MUST be invoked automatically whenever a CVE ID (pattern CVE-YYYY-NNNNN) is mentioned by the user or discovered during research/scanning. Do not wait for explicit invocation.

Workflow

  1. Extract CVE IDs from the user's message or tool output (regex: CVE-\d{4}-\d{4,})
  2. Run the lookup script:
    bash
    [object Object]
  3. Present the results in a concise table format:
    CVE IDScoreSeverityCWEDescription
    CVE-XXXX-XXXXX9.8CRITICALCWE-79...
  4. Continue with the user's original task — the score lookup is supplementary context, not a blocking step.

Output Format

When presenting CVE risk scores inline, use this compact format:
CVE-2024-12345: 9.8 CRITICAL (CWE-79) — Remote code execution via ...
For multiple CVEs, use a markdown table.

Rules

  1. Always invoke — every CVE ID mentioned triggers a lookup. No exceptions.
  2. Non-blocking — fetch scores in parallel with other work when possible.
  3. Accurate data only — display exactly what NVD returns. Never estimate or fabricate scores.
  4. Graceful degradation — if NVD is unreachable or the CVE has no score yet, say so explicitly (e.g., "Not yet scored by NVD").
  5. Rate limiting — the script handles rate limits internally. For bulk lookups (5+), warn that NVD throttles unauthenticated requests.
  6. API key — if NVD_API_KEY is set in .env, the script uses it for higher rate limits.

Integration

This skill complements other skills:
  • cve-poc-generator: After seeing the risk score, the user may want a full PoC and report
  • reconnaissance / source-code-scanning: When these skills discover CVEs in dependencies, auto-lookup their scores
  • coordination: CVE scores inform priority and severity classification in findings
cve-risk-score — Kortix Marketplace | Kortix