nvd-cve

Name: nvd-cve
Author: automateyournetwork/netclaw

$npx mdskill add automateyournetwork/netclaw/nvd-cve

Search the National Vulnerability Database for CVEs and retrieve detailed vulnerability information

Helps identify known vulnerabilities by CVE ID or keyword for security audits and remediation
Uses the NVD API and MCP script to fetch CVSS scores, weaknesses, and affected configurations
Analyzes input parameters to determine the correct search method and returns structured data
Delivers results in JSON format with detailed vulnerability metrics and references

SKILL.md

.github/skills/nvd-cveView on GitHub ↗

---
name: nvd-cve
description: "Search the National Vulnerability Database for CVEs - find vulnerabilities by keyword or ID, get CVSS scores, weaknesses, affected configurations, and remediation references. Use when looking up a CVE, scanning for vulnerabilities, running a security audit, or checking if a software version has known exploits."
license: Apache-2.0
user-invocable: true
metadata:
  { "openclaw": { "requires": { "bins": ["python3"], "env": ["NVD_MCP_SCRIPT", "MCP_CALL"] } } }
---

# NVD CVE Vulnerability Search

## Available Tools

### 1. `get_cve` — Look Up a Specific CVE by ID

```bash
NVD_API_KEY=$NVD_API_KEY python3 $MCP_CALL "python3 -u $NVD_MCP_SCRIPT" get_cve '{"cve_id":"CVE-2023-20198"}'
```

**Parameters:**
- `cve_id` (required): The CVE identifier, e.g., `CVE-2023-20198`
- `concise` (optional, default `false`): Set `true` for brief output (ID, description, CVSS score only)

**Returns:** Full CVE details including:
- CVSS v3.1 and v2.0 scores, severity, vector string
- Exploitability and impact scores
- CWE weakness identifiers
- References with tags (Vendor Advisory, Patch, Exploit, etc.)
- Affected configurations (CPE entries)

### 2. `search_cve` — Search CVEs by Keyword

```bash
NVD_API_KEY=$NVD_API_KEY python3 $MCP_CALL "python3 -u $NVD_MCP_SCRIPT" search_cve '{"keyword":"Cisco IOS XE 17.9"}'
```

**Parameters:**
- `keyword` (required): Search term, e.g., `"Cisco IOS XE"`, `"NX-OS 10.2"`, `"OpenSSL 3.0"`
- `exact_match` (optional, default `false`): Require exact keyword match
- `concise` (optional, default `false`): Brief output per CVE
- `results` (optional, default `10`): Number of results to return (max 2000)

**Returns:** List of matching CVEs with full details, plus total count.

## When to Use

- **Post-health-check vulnerability scan**: After `show version` reveals the IOS-XE/NX-OS version, search NVD for known CVEs
- **Security audit enrichment**: Cross-reference running config features (HTTP server, SNMP, SSH) against CVEs
- **Incident response**: Look up specific CVE IDs mentioned in advisories
- **Compliance reporting**: Document known vulnerabilities and remediation status
- **Upgrade planning**: Compare CVE exposure between current and target versions

## Vulnerability Audit Workflow

### Step 1: Extract Software Version

From a device health check, extract the software version (e.g., `IOS-XE 17.9.4a`).

### Step 2: Search NVD for Version-Specific CVEs

```bash
NVD_API_KEY=$NVD_API_KEY python3 $MCP_CALL "python3 -u $NVD_MCP_SCRIPT" search_cve '{"keyword":"Cisco IOS XE 17.9.4","results":20}'
```

### Step 3: Get Details for Critical/High CVEs

For each CVE with CVSS >= 7.0, pull full details:

```bash
NVD_API_KEY=$NVD_API_KEY python3 $MCP_CALL "python3 -u $NVD_MCP_SCRIPT" get_cve '{"cve_id":"CVE-2023-20198"}'
```

### Step 4: Exposure Correlation

Cross-reference CVE requirements against the device running config:

| CVE | Requires | Running Config | Exposed? |
|-----|----------|---------------|----------|
| CVE-2023-20198 | HTTP/HTTPS server enabled | `ip http server` present | **YES** |
| CVE-2023-20273 | Web UI accessible | `ip http secure-server` + no ACL | **YES** |
| CVE-2024-XXXXX | OSPF enabled | `router ospf 1` present | **YES** |

### Step 5: Produce Vulnerability Report

```
Vulnerability Audit — YYYY-MM-DD
Device: R1 | IOS-XE 17.9.4a

CRITICAL (CVSS >= 9.0):
  CVE-2023-20198 (CVSS 10.0) — IOS-XE Web UI privilege escalation
    Exposure: CONFIRMED — ip http server enabled
    Remediation: Upgrade to 17.9.4a+ or disable ip http server

HIGH (CVSS >= 7.0):
  CVE-2023-20273 (CVSS 7.2) — Web UI command injection
    Exposure: CONFIRMED — ip http secure-server, no ACL
    Remediation: Apply access-class to HTTP server or upgrade

MEDIUM (CVSS >= 4.0):
  [none found]

Summary: 2 CRITICAL (2 exposed), 0 HIGH, 0 MEDIUM
```

### Step 6: Search by Feature Keywords

When auditing specific features, search for feature-specific CVEs:

```bash
# SNMP vulnerabilities
NVD_API_KEY=$NVD_API_KEY python3 $MCP_CALL "python3 -u $NVD_MCP_SCRIPT" search_cve '{"keyword":"Cisco SNMP remote code execution","results":10}'

# BGP vulnerabilities
NVD_API_KEY=$NVD_API_KEY python3 $MCP_CALL "python3 -u $NVD_MCP_SCRIPT" search_cve '{"keyword":"Cisco BGP denial of service","results":10}'

# SSH vulnerabilities
NVD_API_KEY=$NVD_API_KEY python3 $MCP_CALL "python3 -u $NVD_MCP_SCRIPT" search_cve '{"keyword":"Cisco IOS SSH vulnerability","results":10}'
```

## CVSS Severity Mapping

| CVSS Score | Severity | Action Timeline |
|-----------|----------|-----------------|
| 9.0 - 10.0 | CRITICAL | Immediate remediation required |
| 7.0 - 8.9 | HIGH | Remediate within 1 change window |
| 4.0 - 6.9 | MEDIUM | Remediate in next maintenance window |
| 0.1 - 3.9 | LOW | Document and track |

## Fleet-Wide Vulnerability Scan

Run version discovery across all devices, then batch-search NVD for each unique version:

```bash
# Step 1: Get version from each device
PYATS_TESTBED_PATH=$PYATS_TESTBED_PATH python3 $MCP_CALL "python3 -u $PYATS_MCP_SCRIPT" pyats_run_show_command '{"device_name":"R1","command":"show version"}'

# Step 2: Search NVD for each unique version found
NVD_API_KEY=$NVD_API_KEY python3 $MCP_CALL "python3 -u $NVD_MCP_SCRIPT" search_cve '{"keyword":"Cisco IOS XE 17.9.4","results":20,"concise":true}'
```

Produce a fleet vulnerability matrix:

```
┌──────────┬───────────────────┬──────────┬──────┬──────┬────────┐
│ Device   │ Software Version  │ CRITICAL │ HIGH │ MED  │ Action │
├──────────┼───────────────────┼──────────┼──────┼──────┼────────┤
│ R1       │ IOS-XE 17.9.4a    │ 2        │ 3    │ 5    │ URGENT │
│ R2       │ IOS-XE 17.12.1    │ 0        │ 1    │ 2    │ PLAN   │
│ SW1      │ IOS-XE 16.12.4    │ 5        │ 8    │ 12   │ URGENT │
└──────────┴───────────────────┴──────────┴──────┴──────┴────────┘
```

## GAIT Audit Trail

Record vulnerability scans in GAIT:

```bash
python3 $MCP_CALL "python3 -u $GAIT_MCP_SCRIPT" gait_record_turn '{"input":{"role":"assistant","content":"NVD vulnerability scan on R1 (IOS-XE 17.9.4a): 2 CRITICAL (CVE-2023-20198, CVE-2023-20273), 3 HIGH, 5 MEDIUM. Both CRITICAL CVEs confirmed exposed via running config analysis.","artifacts":[]}}'
```

More from automateyournetwork/netclaw

Skill	Description
aap-automation	Red Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
aap-eda	Event-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
aap-lint	ansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
aci-change-deploy	Safe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
aci-fabric-audit	Comprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
arista-cvp	Arista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
aruba-cx-config	View and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
aruba-cx-interfaces	Monitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
aruba-cx-switching	View and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
aruba-cx-system	Discover Aruba CX switch system information, firmware versions, and VSF topology