← Back to Skills Marketplace
Vulnerability Prioritizer
by
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
47
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install vulnerability-prioritizer
Description
Prioritize vulnerabilities beyond CVSS scores using EPSS (Exploit Prediction Scoring), CISA KEV, asset criticality, reachability analysis, and exploit maturi...
Usage Guidance
This skill appears coherent and appropriate for prioritizing CVEs, but review before running: (1) ensure the command-line tools referenced (trivy, grype, npm/pip-audit, rg, curl, python3) are installed from trusted sources; (2) be aware reachability checks will read local code and dependency trees — don't run against sensitive repositories unless you're comfortable with that analysis; (3) the enrichment steps call public APIs (api.first.org and cisa.gov) and will transmit CVE identifiers — confirm this outbound traffic is allowed by policy; (4) the SKILL.md omits declaring required binaries in metadata—treat that as a documentation gap and verify locally that needed tools are present. If you want an extra safety step, run the commands manually in a controlled environment on sample outputs before letting an agent execute them autonomously.
Capability Analysis
Type: OpenClaw Skill
Name: vulnerability-prioritizer
Version: 1.0.0
The vulnerability-prioritizer skill is a legitimate tool for risk-based vulnerability management. It enriches scan results from tools like Trivy and npm audit with real-world exploit data from the EPSS API (api.first.org) and the CISA KEV catalog. The use of curl and inline Python scripts in SKILL.md is limited to parsing JSON data from these trusted sources and calculating risk scores. No evidence of malicious intent, data exfiltration, or unauthorized execution was found.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (risk-based prioritization) matches the runtime instructions: parsing scanner output, enriching with EPSS and CISA KEV, applying asset multipliers, and producing a ranked remediation plan. All major actions are appropriate for the stated purpose. Minor note: the SKILL.md uses utilities (trivy, grype, npm/pip-audit, rg, curl, python3) but the skill metadata declared no required binaries — a documentation/manifest omission rather than an incoherent capability request.
Instruction Scope
Instructions explicitly tell the agent to read scanner JSON outputs, walk dependency trees, and search local source code (e.g., npm ls, rg). This is appropriate for reachability analysis, but it means the skill will examine local code and dependency metadata. It also makes outbound calls to public APIs (api.first.org for EPSS and cisa.gov for KEV) with CVE identifiers — expected for enrichment, but you should be aware those CVE lists are sent externally.
Install Mechanism
No install spec is present (instruction-only), so nothing will be downloaded or installed by the skill itself. This minimizes install-time risk. Users still need to ensure the referenced tools are installed from trusted sources.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate: prioritization and enrichment use public APIs and local scanner outputs and do not require secrets. No extraneous credential access is requested.
Persistence & Privilege
always is false and there is no install behavior that modifies other skills or global agent settings. The skill does not request persistent privileges or hidden autorun behavior.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install vulnerability-prioritizer - After installation, invoke the skill by name or use
/vulnerability-prioritizer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of Vulnerability Prioritizer skill.
- Prioritize vulnerabilities beyond CVSS by incorporating EPSS exploit likelihood, CISA Known Exploited Vulnerabilities, asset criticality multipliers, reachability analysis, and exploit maturity.
- Parses scan outputs from popular tools (Snyk, Trivy, Grype, Qualys, Nessus, npm, pip).
- Calculates composite risk scores to produce risk-ranked remediation plans.
- Offers commands to prioritize vulnerabilities, track trends, generate remediation SLAs, and analyze exploit reachability.
Metadata
Frequently Asked Questions
What is Vulnerability Prioritizer?
Prioritize vulnerabilities beyond CVSS scores using EPSS (Exploit Prediction Scoring), CISA KEV, asset criticality, reachability analysis, and exploit maturi... It is an AI Agent Skill for Claude Code / OpenClaw, with 47 downloads so far.
How do I install Vulnerability Prioritizer?
Run "/install vulnerability-prioritizer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Vulnerability Prioritizer free?
Yes, Vulnerability Prioritizer is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Vulnerability Prioritizer support?
Vulnerability Prioritizer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Vulnerability Prioritizer?
It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.
More Skills