Gathers CVE vulnerability details from NVD, MITRE, Go VulnDB, and GHSA with fallback searches for new CVEs or incomplete web results.
From compliancenpx claudepluginhub openshift-eng/ai-helpers --plugin complianceThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Systematically collects CVE vulnerability details from multiple authoritative sources, handles search failures, and compiles a comprehensive vulnerability profile for analysis.
Use this skill when:
web_search tool access# Regex pattern for CVE ID
CVE_PATTERN="^CVE-[0-9]{4}-[0-9]{4,}$"
# Validate format
if [[ "$CVE_ID" =~ $CVE_PATTERN ]]; then
echo "Valid CVE format"
else
echo "ERROR: Invalid CVE format. Expected: CVE-YYYY-NNNNN"
exit 1
fi
Extract components:
YYYY from CVE-YYYY-NNNNNNNNNN from CVE-YYYY-NNNNNDecision Point:
National Vulnerability Database (NVD)
Search query: "CVE-{ID} site:nvd.nist.gov"
Example: "CVE-YYYY-NNNNN site:nvd.nist.gov"
Extract from results:
MITRE CVE Database
Search query: "CVE-{ID} site:cve.mitre.org"
Example: "CVE-YYYY-NNNNN site:cve.mitre.org"
Extract from results:
Error Handling:
Go Vulnerability Database
Search queries:
1. "CVE-{ID} golang vulnerability"
2. "CVE-{ID} site:github.com/golang/vulndb"
3. "CVE-{ID} site:go.dev/security"
Extract from results:
<package-path>)< <version>)<version>)GitHub Security Advisories (GHSA)
Search queries:
1. "CVE-{ID} golang GHSA"
2. "CVE-{ID} site:github.com/advisories"
Look for:
GHSA-xxxx-xxxx-xxxx)Decision Point:
Security Advisories
Search queries:
1. "CVE-{ID} security advisory"
2. "CVE-{ID} golang fix"
3. "CVE-{ID} patch"
Look for:
Community Discussions
Search queries:
1. "CVE-{ID} golang github issue"
2. "CVE-{ID} golang discussion"
Check for:
Proof of Concept / Exploits (for context only)
Search query: "CVE-{ID} exploit poc"
Note: Only use for understanding attack vectors, not for testing
If CVE is Very New (e.g., published recently)
Search alternative queries:
1. "CVE-{ID} disclosure"
2. "CVE-{ID} advisory {YEAR}"
3. "{PACKAGE_NAME} vulnerability {YEAR}"
If Web Searches Return No Results
Try alternative strategies:
Search by package name (if known from context):
Search: "{package-name} vulnerability {year}"
Example: "<package-name> vulnerability <year>"
Search for GHSA aliases:
Search: "GHSA-{pattern} golang"
Check package repository directly:
Search: "site:github.com/{org}/{repo} security"
Decision Point:
If automated searches fail, prompt user:
❌ Unable to fetch details for {CVE-ID} from online sources.
Attempted searches:
- NVD: No results
- MITRE: No results
- Go vulnerability database: No results
- GitHub Security Advisories: No results
Please provide any information you have about this CVE:
1. CVE Description:
[What vulnerability does this CVE describe?]
2. Affected Go Packages/Modules:
[e.g., <package-path>, github.com/<org>/<repo>]
3. Vulnerable Version Range:
[e.g., all versions before <version>, or versions <version-range>]
4. Fixed Version (if known):
[e.g., <version> or later]
5. Severity (if known):
[CRITICAL/HIGH/MEDIUM/LOW or CVSS score]
6. References (if any):
[Links to security advisories, GitHub issues, etc.]
You can provide partial information. Analysis will proceed with whatever details are available.
Would you like to provide CVE details? (yes/no)
User Response Handling:
Create structured summary with all gathered information:
{
"cve_id": "CVE-YYYY-NNNNN",
"aliases": ["GHSA-xxxx-xxxx-xxxx"],
"severity": {
"rating": "<CRITICAL|HIGH|MEDIUM|LOW>",
"cvss_score": "<score>",
"cvss_vector": "<CVSS vector string>"
},
"affected_packages": [
{
"name": "<package-name>",
"vulnerable_versions": "<version-range>",
"fixed_version": "<fixed-version>",
"vulnerable_functions": ["<function1>", "<function2>"]
}
],
"vulnerability_type": "<vulnerability-type>",
"cwe_id": "CWE-<number>",
"attack_vector": "<attack-vector>",
"description": "<vulnerability description>",
"impact": {
"confidentiality": "<NONE|LOW|HIGH>",
"integrity": "<NONE|LOW|HIGH>",
"availability": "<NONE|LOW|HIGH>"
},
"remediation": {
"fix_available": true,
"recommended_action": "<remediation guidance>",
"workarounds": []
},
"information_sources": [
{
"type": "NVD",
"verified": true,
"url": "https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNNN"
},
{
"type": "GitHub Security Advisory",
"verified": true,
"url": "https://github.com/advisories/GHSA-xxxx-xxxx-xxxx"
}
],
"information_completeness": "COMPLETE",
"data_quality": "HIGH",
"gaps": []
}
Mark Information Sources:
Assess Information Completeness:
Identify Gaps:
"gaps": [
"CVSS score not available",
"Fixed version not confirmed",
"Vulnerable functions not identified"
]
Assess if CVE is Go-related:
Strong Indicators (HIGH confidence):
Weak Indicators (MEDIUM confidence):
Not Go-related (Exit early):
Decision Point:
Return structured data to parent command:
{
"skill": "cve-intelligence-gathering",
"status": "success",
"cve_profile": {
"cve_id": "CVE-YYYY-NNNNN",
"severity": "<CRITICAL|HIGH|MEDIUM|LOW>",
"cvss_score": "<score>",
"affected_packages": [...],
"fixed_versions": [...],
"description": "...",
"references": [...]
},
"information_quality": {
"completeness": "<COMPLETE|MOSTLY_COMPLETE|PARTIAL|MINIMAL>",
"sources": ["<source1>", "<source2>", ...],
"user_provided": "<true|false>",
"gaps": []
},
"go_relevance": {
"is_go_related": "<true|false>",
"confidence": "<HIGH|MEDIUM|LOW>",
"reasoning": "<explanation>"
}
}
Error: Invalid CVE identifier format
Expected: CVE-YYYY-NNNNN
Received: {user-input}
Action: Return error, do not proceed
Warning: CVE-{ID} not found in any database
Possible reasons:
- CVE is very new (not yet published)
- CVE ID is incorrect
- CVE was disputed/rejected
- Private disclosure not yet public
Action: Request user input or exit
Info: CVE-{ID} does not appear to affect Go
Affected platforms: {list}
Action: Return NOT_APPLICABLE verdict early
Step 1: Validate
✓ CVE-YYYY-NNNNN - Valid format
Step 2: Primary Sources
✓ NVD: Found - CVSS <score>, Severity: <severity>
✓ MITRE: Found - CWE-<number>, References available
Step 3: Go-Specific Sources
✓ Go vulndb: Found - <package-name>
✓ GHSA: Found - GHSA-xxxx-xxxx-xxxx
- Affected: <package-name> <version-range>
- Fixed: <fixed-version>
- Vulnerable functions: <function1>, <function2>
Step 4: Remediation Intelligence
✓ GitHub Advisory: Update to <fixed-version>
✓ Release notes: <release-notes-url>
✓ Fix commit: <commit-url>
Step 5: Not needed - sufficient data
Step 6: Not needed - sufficient data
Step 7: Compile Profile
✓ All fields populated
✓ Information completeness: COMPLETE
✓ Data quality: HIGH
✓ No gaps identified
Step 8: Go Relevance
✓ Is Go-related: YES
✓ Confidence: HIGH
✓ Package: <package-name>
Result: Complete vulnerability profile ready for Phase 2 analysis
This skill is called from Phase 1 of the /compliance:analyze-cve command.
Input from parent:
Output to parent:
Decision Flow:
IF status = "error" → Exit command
IF go_relevance.is_go_related = false → Generate "Not Applicable" report, exit
IF information_quality.completeness = "MINIMAL" AND user_declined → Exit command
OTHERWISE → Proceed to Phase 2 with profile