Skill

nvd

The NVD is the U.S. government repository of standards-based vulnerability management data. Search CVEs by keyword, product (CPE name), CVE ID, or date range. Get CVSS scores, affected versions, references, and severity ratings. No API key required (optional for higher rate limits).

Verified: 2026-05-13 (printing-press-ingest-2026-05-13+enrich-capability-skill)

When to use nvd

Choose if

You're running security workflows from an agent loop and need free, read-only CVE/CVSS/CPE lookups against the canonical NIST NVD, with typed exit codes for rate-limit handling and offline-friendly output. No API key needed for low-volume work; an optional free key raises limits. Pick this over a paid vulnerability-intelligence vendor when the use case is plain CVE lookup and severity scoring.

Avoid if

You need richer threat-intelligence context — exploit-in-the-wild signals, vendor RHSAs/GHSAs, KEV catalog enrichment, or proprietary severity re-scoring — none of which the NVD itself provides. Also avoid for write operations: the CLI cannot publish or mutate anything upstream.

Risk Flags

MEDIUM rate_limit The NVD public endpoint is rate-limited. The CLI surfaces upstream throttling as exit code 7. Without an (optional, free) NIST API key, heavy workloads hit the anonymous-tier limits — agents must back off or request a key.
LOW scope Read-only by design — no create / update / delete / publish / send / mutate. Coverage is CVE / CVSS / CPE only; for vendor-specific advisory narratives (e.g., GHSA, vendor RHSAs), use upstream vendor sources.
LOW runtime Default install needs Node.js (npx); Go-source fallback needs Go 1.26.3+. Pre-built binaries available for sandboxed environments without either runtime.

Cost

Type: Free · Free tier: No API key required. Anonymous access works against the NIST NVD public endpoint; an optional API key (free) raises rate limits but is not mandatory.

Install

Default

npx -y @mvanhorn/printing-press install nvd

Estimated time to first success: ~5 min

Dependencies

Minimum runtime: Node.js 18+ (or Go 1.26.3+ for source install; pre-built binary alternative)

Distribution

Repository: https://github.com/mvanhorn/printing-press-library

Use nvd from your agent

claude mcp add auxiliar -- npx auxiliar-mcp
# Then in your agent:
get_capability(id="pp-nvd")