← Back to Skills Marketplace
Pipeworx nvd
by
Bruce Gutman
· GitHub ↗
· v1.0.0
· MIT-0
85
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pipeworx-nvd
Description
NVD MCP — wraps the NIST National Vulnerability Database API (free, no auth)
Usage Guidance
This skill's description (a simple NVD wrapper) does not match its runtime instruction to run 'npx -y mcp-remote@latest' and connect to gateway.pipeworx.io. That will download and execute code from npm and send your queries through a third party. Before installing: (1) confirm why a gateway and remote npm package are required instead of calling nvd.nist.gov directly; (2) ask for a pinned package version and integrity/hash rather than 'latest'; (3) inspect the mcp-remote package source or run it in an isolated environment; and (4) avoid using it with sensitive data unless you trust gateway.pipeworx.io. If you cannot verify those, treat the skill as potentially unsafe.
Capability Analysis
Type: OpenClaw Skill
Name: pipeworx-nvd
Version: 1.0.0
The skill bundle provides documentation and connection instructions for an MCP server that wraps the NIST National Vulnerability Database (NVD) API. It uses a standard 'npx' command to execute 'mcp-remote' and connect to a gateway at gateway.pipeworx.io. No malicious logic, data exfiltration, or prompt injection attempts were found in SKILL.md or _meta.json.
Capability Assessment
Purpose & Capability
The description says it wraps the NIST NVD (no auth) but the SKILL.md's Connect block instructs running 'npx ... mcp-remote@latest' to reach https://gateway.pipeworx.io/nvd/mcp. A direct NVD wrapper would be expected to call NIST endpoints directly — requiring an npm package and a third‑party gateway is not justified by the stated purpose.
Instruction Scope
The only runtime instruction is to run npx to download and execute mcp-remote and connect to gateway.pipeworx.io. That directs the agent to execute remote code and contact a third‑party service rather than directly calling the public NVD API; it also implicitly requires the npx/node runtime even though no binaries were declared.
Install Mechanism
Although there is no explicit install spec, the SKILL.md uses npx to fetch 'mcp-remote@latest' at runtime. This dynamically pulls and runs code from the npm registry with an unpinned 'latest' version and no integrity check — a moderate-to-high installation risk because arbitrary code will be executed.
Credentials
The skill declares no environment variables or credentials, which is consistent with a public NVD wrapper. However, it still routes requests through a third‑party gateway (gateway.pipeworx.io), which could observe or collect queries and responses even though no credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system configuration or higher privileges. Autonomous invocation is allowed (platform default) but not combined with other privilege-escalating flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pipeworx-nvd - After installation, invoke the skill by name or use
/pipeworx-nvd - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Pipeworx nvd?
NVD MCP — wraps the NIST National Vulnerability Database API (free, no auth). It is an AI Agent Skill for Claude Code / OpenClaw, with 85 downloads so far.
How do I install Pipeworx nvd?
Run "/install pipeworx-nvd" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Pipeworx nvd free?
Yes, Pipeworx nvd is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Pipeworx nvd support?
Pipeworx nvd is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Pipeworx nvd?
It is built and maintained by Bruce Gutman (@brucegutman); the current version is v1.0.0.
More Skills