nvd-cve

SUSPICIOUS. The skill's purpose is coherent and the intended external service is the official NVD API, so this is not fundamentally incompatible with its stated use. However, the trust boundary is unclear because the API key and queries are routed through opaque local MCP wrapper scripts whose provenance and behavior are not verified by the skill, creating moderate credential-forwarding and execution-trust risk.