cve-poc-generator

CVE PoC Generator

Research a CVE by ID, generate a standalone Python proof-of-concept script, and produce a detailed vulnerability report.

Workflow

1. NVD Lookup - Query NVD API v2.0 for the CVE ID. Extract CVSS v3.1 score/vector, CWE IDs, CPE matches, advisory URLs, and patch links.
2. Advisory Research - Deep-dive vendor advisories, GitHub security advisories, Exploit-DB, and published write-ups. Identify root cause, affected versions, and attack vector details.
3. PoC Generation - Write a standalone Python script (poc.py) that demonstrates the vulnerability safely. Follow the script standards in reference/poc-methodology.md.
4. Report Generation - Write a comprehensive markdown report (report.md) with metadata, root cause analysis, risk assessment, and remediation guidance.

NVD Data to Collect

Field	Source	Usage
CVE ID	NVD	Primary identifier
CVSS v3.1 Score + Vector	NVD	Risk scoring
CWE ID(s)	NVD	Vulnerability classification
CPE Matches	NVD	Affected products and versions
Advisory URLs	NVD references	Research sources
Patch Links	NVD references / vendor	Remediation guidance
Description	NVD	Vulnerability summary
Published / Modified dates	NVD	Timeline

Output

{OUTPUT_DIR}/
  artifacts/cve-pocs/CVE-XXXX-XXXXX/
    poc.py              # Standalone Python PoC script
  reports/cve-pocs/CVE-XXXX-XXXXX/
    report.md           # Detailed vulnerability report

Invocation

/cve-poc-generator CVE-2024-XXXXX

The skill accepts a single CVE ID as argument. Multiple CVEs should be processed with separate invocations.

Rules

1. Least harm - PoC scripts MUST demonstrate vulnerability without causing damage. Use detection/verification checks, not destructive payloads.
2. Standalone scripts - PoC must run independently with only standard Python libraries plus requests. No framework dependencies.
3. Accurate scoring - Use the exact CVSS score and vector from NVD. Do not fabricate or estimate scores.
4. Source attribution - Every claim in the report must cite its source (NVD, vendor advisory, CVE description).
5. No emoji - Use text severity labels only (CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL).
6. Verified data only - Do not hallucinate CVE details. If NVD data is unavailable, state it explicitly.
7. Safe defaults - PoC scripts must default to read-only, non-destructive operations. Any potentially harmful action requires explicit --confirm flag.