← Back to Skills Marketplace
135
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install cve-scanner
Description
Scan and identify Common Vulnerabilities and Exposures (CVEs) in software components and dependencies.
README (SKILL.md)
# Overview
The CVE Scanner is a security-focused API that enables developers, security teams, and DevOps professionals to rapidly identify and assess Common Vulnerabilities and Exposures (CVEs) affecting their software supply chain. By submitting package names, versions, or vulnerability identifiers, users receive comprehensive CVE data including severity ratings, affected versions, and remediation guidance.
This tool integrates seamlessly into CI/CD pipelines, vulnerability management workflows, and security audits. It leverages authoritative CVE databases to deliver accurate, up-to-date intelligence on software vulnerabilities, helping organizations prioritize patching efforts and reduce risk exposure.
Ideal users include security engineers, application developers, DevOps teams, and compliance officers who need rapid, reliable CVE lookup capabilities integrated into automated security workflows.
## Usage
### Sample Request
```json
{
"query": "log4j 2.14.1"
}
Sample Response
{
"vulnerabilities": [
{
"cve_id": "CVE-2021-44228",
"title": "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints",
"severity": "CRITICAL",
"cvss_score": 10.0,
"affected_versions": [
"2.0-beta9 through 2.15.0"
],
"description": "Apache Log4j2 versions less than 2.16.0 are vulnerable to remote code execution via JNDI injection.",
"published_date": "2021-12-10",
"updated_date": "2024-01-15",
"remediation": "Upgrade to Log4j 2.16.0 or later"
}
],
"query_timestamp": "2024-01-20T14:32:15Z",
"total_vulnerabilities_found": 1
}
Endpoints
POST /scan-cve
Scan for Common Vulnerabilities and Exposures matching a given query string.
Method: POST
Path: /scan-cve
Request Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
query |
string | Yes | The search query for CVE scanning. Can be a package name, version string, CVE identifier (e.g., "CVE-2021-44228"), or component name. |
Request Body (application/json):
{
"query": "string"
}
Response (200 - Success):
Returns a JSON object containing matched CVE records with vulnerability details, severity information, affected versions, and recommended remediation steps.
Response (422 - Validation Error):
Returns validation error details when the request schema is invalid or required fields are missing.
{
"detail": [
{
"loc": ["body", "query"],
"msg": "field required",
"type": "value_error.missing"
}
]
}
Pricing
| Plan | Calls/Day | Calls/Month | Price |
|---|---|---|---|
| Free | 5 | 50 | Free |
| Developer | 20 | 500 | $39/mo |
| Professional | 200 | 5,000 | $99/mo |
| Enterprise | 100,000 | 1,000,000 | $299/mo |
About
ToolWeb.in — 200+ security APIs, CISSP & CISM, platforms: Pay-per-run, API Gateway, MCP Server, OpenClaw, RapidAPI, YouTube.
- 🌐 toolweb.in
- 🔌 portal.toolweb.in
- 🤖 hub.toolweb.in
- 🐾 toolweb.in/openclaw/
- 🚀 rapidapi.com/user/mkrishna477
- 📺 youtube.com/@toolweb-009
References
- Kong Route:
https://api.mkkpro.com/security/cve-scanner - API Docs:
https://api.mkkpro.com:8010/docs
Usage Guidance
This skill appears to be an instruction-only wrapper for a hosted CVE lookup API (references to api.mkkpro.com and toolweb.in). Before installing or using it: (1) Confirm the exact endpoint(s) the skill will call (base URL, TLS), and whether it requires an API key or account; (2) Do not send sensitive or proprietary package/component identifiers until you confirm the vendor's privacy policy and data retention; (3) Verify costs and rate limits (the SKILL.md lists paid plans but gives no auth details); (4) If you need on-premise or offline scanning for sensitive code, prefer a tool that runs locally rather than sending queries to an unknown third party; (5) Ask the publisher for provenance (who operates api.mkkpro.com / toolweb.in) and a security/privacy statement. These clarifications would raise confidence; absence of them is why I mark the skill as suspicious.
Capability Analysis
Type: OpenClaw Skill
Name: cve-scanner
Version: 1.0.0
The CVE Scanner skill is a legitimate API wrapper designed to query vulnerability data from an external service (api.mkkpro.com). The SKILL.md and openapi.json files describe a standard request-call pattern for looking up CVEs based on package names or identifiers, with no evidence of malicious intent, data exfiltration, or prompt injection.
Capability Assessment
Purpose & Capability
Name and description (CVE lookup) match the included OpenAPI manifest and SKILL.md. Requiring no local tools, files, or credentials is plausible for a simple remote CVE lookup service.
Instruction Scope
SKILL.md describes POST /scan-cve and gives request/response examples and usage guidance; it does not instruct the agent to read local files or environment variables. However, the document references external hosts (api.mkkpro.com, toolweb.in) and an API gateway — the instructions are ambiguous about which host/URL the agent should call and whether queries (which may contain sensitive package or repo identifiers) will be transmitted to that external service.
Install Mechanism
No install spec and no code files — this is instruction-only, so nothing is written to disk and no packages are pulled during install.
Credentials
The skill declares no required credentials or env vars, yet SKILL.md advertises a hosted API with paid plans and endpoint URLs. There is an inconsistency: a hosted/paid API typically requires API keys or authentication, but none are declared. Also, queries (package names, versions, possibly proprietary component identifiers) will be sent to an external service — this is expected for such a tool but is a privacy/telemetry risk that is not documented here.
Persistence & Privilege
always is false and the skill is user-invocable. There is no indication the skill requests persistent system presence or modifies other skills/config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install cve-scanner - After installation, invoke the skill by name or use
/cve-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of CVE Scanner.
- Scan and identify Common Vulnerabilities and Exposures (CVEs) in software components and dependencies.
- Accepts package names, versions, or CVE identifiers as query input.
- Returns comprehensive CVE data including severity, affected versions, and remediation steps.
- Designed for integration into CI/CD pipelines and security workflows.
- Provides tiered pricing plans including a free option.
Metadata
Frequently Asked Questions
What is CVE Scanner?
Scan and identify Common Vulnerabilities and Exposures (CVEs) in software components and dependencies. It is an AI Agent Skill for Claude Code / OpenClaw, with 135 downloads so far.
How do I install CVE Scanner?
Run "/install cve-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is CVE Scanner free?
Yes, CVE Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does CVE Scanner support?
CVE Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created CVE Scanner?
It is built and maintained by ToolWeb (@krishnakumarmahadevan-cmd); the current version is v1.0.0.
More Skills