pp-nvd

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads and installs its core CLI and MCP components from the author's official GitHub repository (github.com/mvanhorn/printing-press-library) and NPM scope (@mvanhorn/printing-press). These are documented vendor resources and do not represent a security risk.
  • [COMMAND_EXECUTION]: The skill executes shell commands using the nvd-pp-cli binary. These commands are limited to read-only operations for vulnerability data retrieval (CPEs, CVEs) and local configuration management (profiles, feedback).
  • [DATA_EXFILTRATION]: The skill includes a --deliver webhook:<url> feature which allows routing command output to an external URL. While this enables network transmission, it is presented as an explicit user/agent-directed feature for output delivery rather than silent data exfiltration. The 'Feedback' feature also defaults to local storage and requires explicit configuration (NVD_FEEDBACK_AUTO_SEND) to transmit data.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 08:29 PM
Security Audit — agent-trust-hub — pp-nvd