From find-cve-agent
Mines GitHub Security Advisories and NVD CVE databases for incomplete fixes, identifying variant vulnerabilities in patched code and similar patterns in related packages. Useful for high-acceptance-rate security findings.
npx claudepluginhub byamb4/find-cve-agentThis skill uses the workspace's default tool permissions.
Looking for high-acceptance-rate findings. Incomplete fix variants have ~95% acceptance rate because:
Multiplies security findings by extracting vulnerable patterns from confirmed issues and searching similar packages via grep.app regex in JS/TS/Python files.
Finds similar vulnerabilities and bugs across codebases using pattern-based analysis. Use for hunting bug variants, building CodeQL/Semgrep queries, security vulnerability analysis, and code audits after initial issues.
Finds similar bugs and vulnerabilities across codebases via iterative pattern generalization using ripgrep, Semgrep, and CodeQL after initial issue discovery.
Share bugs, ideas, or general feedback.
Looking for high-acceptance-rate findings. Incomplete fix variants have ~95% acceptance rate because:
# GitHub Advisory API -- recent npm advisories
gh api graphql -f query='
{
securityAdvisories(first: 20, orderBy: {field: PUBLISHED_AT, direction: DESC}, ecosystem: NPM) {
nodes {
ghsaId
summary
severity
publishedAt
vulnerabilities(first: 5) {
nodes {
package { name ecosystem }
vulnerableVersionRange
firstPatchedVersion { identifier }
}
}
}
}
}'
# Search by keyword
gh api "/advisories?ecosystem=npm&keyword=injection&per_page=20"
gh api "/advisories?ecosystem=pip&keyword=traversal&per_page=20"
For each advisory:
# Find security-related commits
git log --oneline --all | grep -i "security\|fix\|vuln\|CVE\|patch\|sanitize"
# Read the patch
git show <commit_hash>
git diff <before_commit>..<fix_commit>
Common incomplete fixes:
| What Was Fixed | What Was Missed |
|---|---|
../ blocked | ..\ not blocked (Windows) |
__proto__ filtered | constructor.prototype not filtered |
| One regex fixed | Similar regex in same file not fixed |
| One function fixed | Wrapper function calls it differently |
| Parsing fixed | Serialization has same bug |
| Validation added | Can be bypassed with encoding |
| One entry point fixed | Other entry points not covered |
| Input sanitized | Error messages leak unsanitized data |
If the vulnerability is in a common pattern (e.g., path.join without validation), search for it in similar packages:
# Use grep.app to find same pattern across repos
# See cross-pollination skill for details
Apply the fp-check skill to verify the variant is real before submitting.
# Search NVD for CVEs by keyword
curl "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=xml+parser+javascript"
# Search by CPE
curl "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:vendor:product:*"
Variant findings typically get: