| name | cve-risk-score |
| description | Retrieve CVE risk scores from NVD. Auto-invoked whenever a CVE ID is mentioned to display CVSS score, severity, CWE, and description. |
CVE Risk Score
Fetch and display CVE risk scores from the National Vulnerability Database (NVD) whenever a CVE ID appears in conversation.
Trigger
This skill MUST be invoked automatically whenever a CVE ID (pattern CVE-YYYY-NNNNN) is mentioned by the user or discovered during research/scanning. Do not wait for explicit invocation.
Workflow
-
Extract CVE IDs from the user's message or tool output (regex: CVE-\d{4}-\d{4,})
-
Run the lookup script:
python3 tools/nvd-lookup.py CVE-XXXX-XXXXX [CVE-YYYY-YYYYY ...]
-
Present the results in a concise table format:
| CVE ID | Score | Severity | CWE | Description |
|---|
| CVE-XXXX-XXXXX | 9.8 | CRITICAL | CWE-79 | ... |
-
Continue with the user's original task — the score lookup is supplementary context, not a blocking step.
Output Format
When presenting CVE risk scores inline, use this compact format:
CVE-2024-12345: 9.8 CRITICAL (CWE-79) — Remote code execution via ...
For multiple CVEs, use a markdown table.
Rules
- Always invoke — every CVE ID mentioned triggers a lookup. No exceptions.
- Non-blocking — fetch scores in parallel with other work when possible.
- Accurate data only — display exactly what NVD returns. Never estimate or fabricate scores.
- Graceful degradation — if NVD is unreachable or the CVE has no score yet, say so explicitly (e.g., "Not yet scored by NVD").
- Rate limiting — the script handles rate limits internally. For bulk lookups (5+), warn that NVD throttles unauthenticated requests.
- API key — if
NVD_API_KEY is set in .env, the script uses it for higher rate limits.
Integration
This skill complements other skills:
- cve-poc-generator: After seeing the risk score, the user may want a full PoC and report
- reconnaissance / source-code-scanning: When these skills discover CVEs in dependencies, auto-lookup their scores
- coordination: CVE scores inform priority and severity classification in findings