Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From cybersecurity-skills
Researches a CVE or vulnerability disclosure end-to-end: affected versions, reachability in your code, public PoC availability, patch status, exposure window, and mitigation guidance. Use for CVE, zero-day, EPSS, or patch triage.
npx claudepluginhub briiirussell/cybersecurity-skills --plugin cybersecurity-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:vuln-researchThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
When a CVE drops, the question isn't "do we have this package?" — `dependency-audit` answers that. The questions are:
Manages vulnerability lifecycle: tracks CVEs, scores with CVSS, prioritizes risks using EPSS/KEV, designs remediation workflows, patch management, and disclosure practices.
Guides setting up vulnerability disclosure programs, responding to researcher reports, reporting third-party vulns, writing security advisories, requesting CVEs, and evaluating bug bounties.
Explains CVEs, GHSAs, and security findings in plain English with fix suggestions. Activates on CVE IDs or vulnerability questions.
Share bugs, ideas, or general feedback.
When a CVE drops, the question isn't "do we have this package?" — dependency-audit answers that. The questions are:
This skill walks that workflow end-to-end. Pairs with dependency-audit (which surfaces the CVE in the first place) and finding-triage (which closes the disposition loop).
Start with the authoritative descriptions; everything downstream is summarized or sometimes wrong.
https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNNNhttps://github.com/advisories/GHSA-... (often more concise than NVD, sometimes has detail NVD lacks; check the parent project's security tab)https://www.cisa.gov/known-exploited-vulnerabilities-catalog. If the CVE is here, treat as actively exploited — patch within CISA's stated due datehttps://www.first.org/epss/ — Exploit Prediction Scoring System; a 30-day probability of exploitation. Useful tiebreaker between high-CVSS-low-EPSS vs medium-CVSS-high-EPSSVendor advisories sometimes hedge ("affects versions before X"); pin down the exact range.
git tag --contains <commit> to see which releases include the fix# Is the package installed at all?
npm ls <package> # or yarn why <package>, pnpm why <package>
pip show <package> # or pip list | grep <package>
bundle info <gem>
go list -m all | grep <package>
# What version exactly?
# Inspect lockfiles directly — the resolved version is what runs, not the range
grep -A1 '"<package>"' package-lock.json
# Where is it used?
# Direct dependency, transitive, dev-only?
npm ls <package> --omit=dev # production-reachable?
If transitive, walk up the dependency tree until you find which direct dependency is pulling it in. That's where the override / pin / replacement lives.
A CVE is only exploitable if you actually call the vulnerable code path. This is where dependency-audit's noise gets cut down to real risk.
Read the patch. The fix commit shows exactly which function / file / API was vulnerable. Then:
# Does your code call the vulnerable function directly?
grep -rn "vulnerableFunction\|VulnerableClass" . \
--include="*.{js,ts,py,rb,go,java}" \
--exclude-dir=node_modules
# Does the dependency call it internally even if you don't?
# Trickier — you have to read the parent's source. For an indirect call:
cd node_modules/<package>
grep -rn "vulnerableFunction" .
Common reachability outcomes:
Don't write "not reachable" without showing the work. Future-you will want to revisit when usage changes.
CVE-YYYY-NNNNN in code and repos — PoCs land here within days of disclosurehttps://www.exploit-db.com/ — confirmed exploitshttps://www.greynoise.io/ — internet-wide scanning telemetry; if attackers are mass-scanning for this, your exposure window is nowEPSS interpretation:
| EPSS score | Meaning |
|---|---|
| > 0.7 | High probability of exploitation in next 30 days — treat as urgent |
| 0.1 – 0.7 | Meaningful exploitation likelihood — patch on regular cadence |
| < 0.1 | Low predicted exploitation — patch when convenient |
EPSS is empirically tuned; it correlates better with actual exploitation than CVSS does.
Patch (preferred):
overrides (npm) / resolutions (yarn) / pin to force the patched versionMitigate (when you can't patch):
siem-detection) so you'll see exploitation attempts even if mitigations failAccept risk (only when truly justified):
owasp-audit's Report Format — three required fields (why, compensating controls, re-evaluation trigger). No exceptions.After deciding:
npm ls / lockfile that the patched version is actually deployed (rollouts are not the same as decisions)overrides to a known-good fork, or replace the dependency# Vulnerability Assessment: CVE-YYYY-NNNNN
## Date: [date]
## Assessor: [name]
### Summary
- **Title:** [from advisory]
- **CVSS / EPSS:** [scores]
- **CISA KEV:** [yes / no, and due date if listed]
- **Affected versions:** [exact range]
- **Our version:** [version + how installed]
### Reachability
- **Direct call:** [yes / no — with evidence]
- **Indirect via dependency:** [yes / no — with evidence]
- **Verdict:** Reachable / Not reachable / Unknown
### Exploitation availability
- **Public PoC:** [yes / no — link]
- **Active exploitation:** [yes / no — source]
### Decision
- [ ] Patch (target deploy: [date])
- [ ] Mitigate (controls: [list]; re-evaluate: [date])
- [ ] Accept risk (why / compensating controls / re-eval trigger)
### Action items
| Item | Owner | Deadline |
|------|-------|----------|
### References
[Links to advisory, patch commit, PoC, EPSS, CISA, etc.]
cve.mitre.org (now redirects to cve.org)