pp-nvd
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs its core CLI and MCP components from the author's official GitHub repository (
github.com/mvanhorn/printing-press-library) and NPM scope (@mvanhorn/printing-press). These are documented vendor resources and do not represent a security risk. - [COMMAND_EXECUTION]: The skill executes shell commands using the
nvd-pp-clibinary. These commands are limited to read-only operations for vulnerability data retrieval (CPEs, CVEs) and local configuration management (profiles, feedback). - [DATA_EXFILTRATION]: The skill includes a
--deliver webhook:<url>feature which allows routing command output to an external URL. While this enables network transmission, it is presented as an explicit user/agent-directed feature for output delivery rather than silent data exfiltration. The 'Feedback' feature also defaults to local storage and requires explicit configuration (NVD_FEEDBACK_AUTO_SEND) to transmit data.
Audit Metadata