← 返回 Skills 市场
Vulnerability Prioritizer
作者
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
47
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install vulnerability-prioritizer
功能描述
Prioritize vulnerabilities beyond CVSS scores using EPSS (Exploit Prediction Scoring), CISA KEV, asset criticality, reachability analysis, and exploit maturi...
安全使用建议
This skill appears coherent and appropriate for prioritizing CVEs, but review before running: (1) ensure the command-line tools referenced (trivy, grype, npm/pip-audit, rg, curl, python3) are installed from trusted sources; (2) be aware reachability checks will read local code and dependency trees — don't run against sensitive repositories unless you're comfortable with that analysis; (3) the enrichment steps call public APIs (api.first.org and cisa.gov) and will transmit CVE identifiers — confirm this outbound traffic is allowed by policy; (4) the SKILL.md omits declaring required binaries in metadata—treat that as a documentation gap and verify locally that needed tools are present. If you want an extra safety step, run the commands manually in a controlled environment on sample outputs before letting an agent execute them autonomously.
功能分析
Type: OpenClaw Skill
Name: vulnerability-prioritizer
Version: 1.0.0
The vulnerability-prioritizer skill is a legitimate tool for risk-based vulnerability management. It enriches scan results from tools like Trivy and npm audit with real-world exploit data from the EPSS API (api.first.org) and the CISA KEV catalog. The use of curl and inline Python scripts in SKILL.md is limited to parsing JSON data from these trusted sources and calculating risk scores. No evidence of malicious intent, data exfiltration, or unauthorized execution was found.
能力标签
能力评估
Purpose & Capability
The name/description (risk-based prioritization) matches the runtime instructions: parsing scanner output, enriching with EPSS and CISA KEV, applying asset multipliers, and producing a ranked remediation plan. All major actions are appropriate for the stated purpose. Minor note: the SKILL.md uses utilities (trivy, grype, npm/pip-audit, rg, curl, python3) but the skill metadata declared no required binaries — a documentation/manifest omission rather than an incoherent capability request.
Instruction Scope
Instructions explicitly tell the agent to read scanner JSON outputs, walk dependency trees, and search local source code (e.g., npm ls, rg). This is appropriate for reachability analysis, but it means the skill will examine local code and dependency metadata. It also makes outbound calls to public APIs (api.first.org for EPSS and cisa.gov for KEV) with CVE identifiers — expected for enrichment, but you should be aware those CVE lists are sent externally.
Install Mechanism
No install spec is present (instruction-only), so nothing will be downloaded or installed by the skill itself. This minimizes install-time risk. Users still need to ensure the referenced tools are installed from trusted sources.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate: prioritization and enrichment use public APIs and local scanner outputs and do not require secrets. No extraneous credential access is requested.
Persistence & Privilege
always is false and there is no install behavior that modifies other skills or global agent settings. The skill does not request persistent privileges or hidden autorun behavior.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vulnerability-prioritizer - 安装完成后,直接呼叫该 Skill 的名称或使用
/vulnerability-prioritizer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of Vulnerability Prioritizer skill.
- Prioritize vulnerabilities beyond CVSS by incorporating EPSS exploit likelihood, CISA Known Exploited Vulnerabilities, asset criticality multipliers, reachability analysis, and exploit maturity.
- Parses scan outputs from popular tools (Snyk, Trivy, Grype, Qualys, Nessus, npm, pip).
- Calculates composite risk scores to produce risk-ranked remediation plans.
- Offers commands to prioritize vulnerabilities, track trends, generate remediation SLAs, and analyze exploit reachability.
元数据
常见问题
Vulnerability Prioritizer 是什么?
Prioritize vulnerabilities beyond CVSS scores using EPSS (Exploit Prediction Scoring), CISA KEV, asset criticality, reachability analysis, and exploit maturi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 47 次。
如何安装 Vulnerability Prioritizer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vulnerability-prioritizer」即可一键安装,无需额外配置。
Vulnerability Prioritizer 是免费的吗?
是的,Vulnerability Prioritizer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Vulnerability Prioritizer 支持哪些平台?
Vulnerability Prioritizer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Vulnerability Prioritizer?
由 charlie-morrison(@charlie-morrison)开发并维护,当前版本 v1.0.0。
推荐 Skills