Stats
Actions
Tags
From cybersecurity-skills
Researches a CVE or vulnerability disclosure end-to-end: affected versions, reachability in your code, public PoC availability, patch status, exposure window, and mitigation guidance. Use for CVE, zero-day, EPSS, or patch triage.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:vuln-researchThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
When a CVE drops, the question isn't "do we have this package?" — `dependency-audit` answers that. The questions are:
When a CVE drops, the question isn't "do we have this package?" — dependency-audit answers that. The questions are:
This skill walks that workflow end-to-end. Pairs with dependency-audit (which surfaces the CVE in the first place) and finding-triage (which closes the disposition loop).
Start with the authoritative descriptions; everything downstream is summarized or sometimes wrong.
https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNNNhttps://github.com/advisories/GHSA-... (often more concise than NVD, sometimes has detail NVD lacks; check the parent project's security tab)https://www.cisa.gov/known-exploited-vulnerabilities-catalog. If the CVE is here, treat as actively exploited — patch within CISA's stated due datehttps://www.first.org/epss/ — Exploit Prediction Scoring System; a 30-day probability of exploitation. Useful tiebreaker between high-CVSS-low-EPSS vs medium-CVSS-high-EPSSVendor advisories sometimes hedge ("affects versions before X"); pin down the exact range.
git tag --contains <commit> to see which releases include the fix# Is the package installed at all?
npm ls <package> # or yarn why <package>, pnpm why <package>
pip show <package> # or pip list | grep <package>
bundle info <gem>
go list -m all | grep <package>
# What version exactly?
# Inspect lockfiles directly — the resolved version is what runs, not the range
grep -A1 '"<package>"' package-lock.json
# Where is it used?
# Direct dependency, transitive, dev-only?
npm ls <package> --omit=dev # production-reachable?
If transitive, walk up the dependency tree until you find which direct dependency is pulling it in. That's where the override / pin / replacement lives.
A CVE is only exploitable if you actually call the vulnerable code path. This is where dependency-audit's noise gets cut down to real risk.
Read the patch. The fix commit shows exactly which function / file / API was vulnerable. Then:
# Does your code call the vulnerable function directly?
grep -rn "vulnerableFunction\|VulnerableClass" . \
--include="*.{js,ts,py,rb,go,java}" \
--exclude-dir=node_modules
# Does the dependency call it internally even if you don't?
# Trickier — you have to read the parent's source. For an indirect call:
cd node_modules/<package>
grep -rn "vulnerableFunction" .
Common reachability outcomes:
Don't write "not reachable" without showing the work. Future-you will want to revisit when usage changes.
CVE-YYYY-NNNNN in code and repos — PoCs land here within days of disclosurehttps://www.exploit-db.com/ — confirmed exploitshttps://www.greynoise.io/ — internet-wide scanning telemetry; if attackers are mass-scanning for this, your exposure window is nowEPSS interpretation:
| EPSS score | Meaning |
|---|---|
| > 0.7 | High probability of exploitation in next 30 days — treat as urgent |
| 0.1 – 0.7 | Meaningful exploitation likelihood — patch on regular cadence |
| < 0.1 | Low predicted exploitation — patch when convenient |
EPSS is empirically tuned; it correlates better with actual exploitation than CVSS does.
Patch (preferred):
overrides (npm) / resolutions (yarn) / pin to force the patched versionMitigate (when you can't patch):
siem-detection) so you'll see exploitation attempts even if mitigations failAccept risk (only when truly justified):
owasp-audit's Report Format — three required fields (why, compensating controls, re-evaluation trigger). No exceptions.After deciding:
npm ls / lockfile that the patched version is actually deployed (rollouts are not the same as decisions)overrides to a known-good fork, or replace the dependency# Vulnerability Assessment: CVE-YYYY-NNNNN
## Date: [date]
## Assessor: [name]
### Summary
- **Title:** [from advisory]
- **CVSS / EPSS:** [scores]
- **CISA KEV:** [yes / no, and due date if listed]
- **Affected versions:** [exact range]
- **Our version:** [version + how installed]
### Reachability
- **Direct call:** [yes / no — with evidence]
- **Indirect via dependency:** [yes / no — with evidence]
- **Verdict:** Reachable / Not reachable / Unknown
### Exploitation availability
- **Public PoC:** [yes / no — link]
- **Active exploitation:** [yes / no — source]
### Decision
- [ ] Patch (target deploy: [date])
- [ ] Mitigate (controls: [list]; re-evaluate: [date])
- [ ] Accept risk (why / compensating controls / re-eval trigger)
### Action items
| Item | Owner | Deadline |
|------|-------|----------|
### References
[Links to advisory, patch commit, PoC, EPSS, CISA, etc.]
cve.mitre.org (now redirects to cve.org)npx claudepluginhub briiirussell/cybersecurity-skills --plugin cybersecurity-skillsManages vulnerability lifecycle: tracks CVEs, scores with CVSS, prioritizes risks using EPSS/KEV, designs remediation workflows, patch management, and disclosure practices.
Guides setting up coordinated vulnerability disclosure programs, responding to external reports, writing security advisories, and requesting CVEs.
Orchestrates CVE vulnerability testing: identifies tech stacks, researches known CVEs, adapts PoCs, and validates exploits against applications. Use for assessing dependencies, frameworks, and libraries.