← 返回 Skills 市场
Pipeworx nvd
作者
Bruce Gutman
· GitHub ↗
· v1.0.0
· MIT-0
85
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pipeworx-nvd
功能描述
NVD MCP — wraps the NIST National Vulnerability Database API (free, no auth)
安全使用建议
This skill's description (a simple NVD wrapper) does not match its runtime instruction to run 'npx -y mcp-remote@latest' and connect to gateway.pipeworx.io. That will download and execute code from npm and send your queries through a third party. Before installing: (1) confirm why a gateway and remote npm package are required instead of calling nvd.nist.gov directly; (2) ask for a pinned package version and integrity/hash rather than 'latest'; (3) inspect the mcp-remote package source or run it in an isolated environment; and (4) avoid using it with sensitive data unless you trust gateway.pipeworx.io. If you cannot verify those, treat the skill as potentially unsafe.
功能分析
Type: OpenClaw Skill
Name: pipeworx-nvd
Version: 1.0.0
The skill bundle provides documentation and connection instructions for an MCP server that wraps the NIST National Vulnerability Database (NVD) API. It uses a standard 'npx' command to execute 'mcp-remote' and connect to a gateway at gateway.pipeworx.io. No malicious logic, data exfiltration, or prompt injection attempts were found in SKILL.md or _meta.json.
能力评估
Purpose & Capability
The description says it wraps the NIST NVD (no auth) but the SKILL.md's Connect block instructs running 'npx ... mcp-remote@latest' to reach https://gateway.pipeworx.io/nvd/mcp. A direct NVD wrapper would be expected to call NIST endpoints directly — requiring an npm package and a third‑party gateway is not justified by the stated purpose.
Instruction Scope
The only runtime instruction is to run npx to download and execute mcp-remote and connect to gateway.pipeworx.io. That directs the agent to execute remote code and contact a third‑party service rather than directly calling the public NVD API; it also implicitly requires the npx/node runtime even though no binaries were declared.
Install Mechanism
Although there is no explicit install spec, the SKILL.md uses npx to fetch 'mcp-remote@latest' at runtime. This dynamically pulls and runs code from the npm registry with an unpinned 'latest' version and no integrity check — a moderate-to-high installation risk because arbitrary code will be executed.
Credentials
The skill declares no environment variables or credentials, which is consistent with a public NVD wrapper. However, it still routes requests through a third‑party gateway (gateway.pipeworx.io), which could observe or collect queries and responses even though no credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system configuration or higher privileges. Autonomous invocation is allowed (platform default) but not combined with other privilege-escalating flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pipeworx-nvd - 安装完成后,直接呼叫该 Skill 的名称或使用
/pipeworx-nvd触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Pipeworx nvd 是什么?
NVD MCP — wraps the NIST National Vulnerability Database API (free, no auth). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 85 次。
如何安装 Pipeworx nvd?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pipeworx-nvd」即可一键安装,无需额外配置。
Pipeworx nvd 是免费的吗?
是的,Pipeworx nvd 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Pipeworx nvd 支持哪些平台?
Pipeworx nvd 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pipeworx nvd?
由 Bruce Gutman(@brucegutman)开发并维护,当前版本 v1.0.0。
推荐 Skills