Request CVEs

Trust Score 80/100

Generate CVE request packages and disclosure artifacts (MITRE form data, GitHub advisory draft, full vulnerability report, and vendor notification templates) fr

triggers:cverequest cvevulnerability reportcve requestsecurity advisorygenerate cve

GitHub SKILL.md

What it does

This skill automates producing professional CVE request packages from pentest findings. For each qualifying finding it generates MITRE CVE form data, a GitHub Security Advisory draft, a full disclosure report, a vendor notification email template, and machine-readable candidate JSON. It also provides CWE mapping, CVSS guidance, and a reproducible workflow for responsible disclosure.

When to use it

Invoke this skill after completing a penetration test when you have verified, true-positive findings that merit CVE requests. Use it to standardize disclosure artifacts before contacting vendors or submitting MITRE/GitHub advisories. The skill is user-invocable only and expects researcher contact info as input.

What's included

Scripts: none embedded (has_scripts=false) — the SKILL defines detailed templates and file outputs to generate per-candidate request packages.
References: none embedded (has_references=false) — contains CWE mappings, CVSS reference, and artifact templates for MITRE/GitHub/vendor.
Instructions: comprehensive workflow covering input discovery (cve-candidates.json/findings.json), filtering criteria, enrichment fields to compute, artifact formats, and rules for responsible disclosure.

Compatible agents

Best used by security-focused agents or human-guided workflows able to read findings files, compute CVSS, and write filesystem artifacts (Pentest agents, Claude Code capable agents).

Audit Summary

A CVE request generator skill that produces MITRE form data, GitHub advisory drafts, vulnerability reports, and vendor notification emails from pentest findings. No bundled scripts — purely prompt-driven. Well-structured with clear phases, filtering logic, and output templates. Niche but valuable for security researchers doing coordinated disclosure. Hardcodes researcher name/org which is a minor oddity but not a security issue.

Watch Out

Hardcodes researcher name as 'Agent-smith' and org as '0x0pointer' — users must manually override
No scripts to validate or automate — relies entirely on agent prompt adherence
Depends on finding input files (cve-candidates.json or findings.json) that must exist from a prior pentest skill

Notes

Pure prompt-driven skill with no executable scripts. No security concerns — no shell commands, no network calls, no exfiltration. The CWE and CVSS reference tables are well-curated. Workflow is thorough with proper false-positive filtering and responsible disclosure emphasis. Niche audience (security researchers doing CVE requests) but well-executed for that audience.

Information

Repository: skills
Stars: 12
Installs: 0

Trust Score

Overall80

Security82

Code Quality78

Architecture80

Usefulness62

More from skills

Pentest Report Generator (NullPointer Studio)

Generate a styled, client-ready PDF penetration test report from findings.json using a defined dark theme and structured sections (exec summary, risk dashboard,

Related Skills

Reverse Engineer

Provides step-by-step guidance and best practices for binary reverse engineering: static analysis, dynamic tracing, disassembly, and documentation workflows for

Sandbox0 Integration

Guidance and templates for integrating Sandbox0 sandboxing into AI agents — CLI/SDK patterns, templates, volumes, network policy, and deployment choices.

CTF Write-up Generator

Generate a concise, reproducible submission-style CTF writeup with a one-path solution script, metadata, and a short checklist for fast verification.

Minimal Run & Audit (repro reporting)

Execute a README-first smoke test and produce standardized reproducibility outputs (`repro_outputs/`) and PATCHES.md — trusted reporting for repo reproduction r

Azure External Attack Surface Management

Provides expert guidance for Azure External Attack Surface Management (EASM): quotas, configuration, integrations, and exporting inventory to analytics platform

Node.js Best Practices

Guidelines and decision-making for Node.js architecture, runtime, async patterns, security, validation, and testing to inform framework and system choices.

radar — Smart Contract AST & Security Analysis

Multi-framework AST generator and static analysis tool for smart contracts (Rust/Anchor/Stylus and Solidity/Foundry) with a template DSL for writing detection r

Bash Pro

Defensive, production-grade Bash scripting patterns and CI/CD best practices: strict mode, safe argument parsing, testing with Bats, and tooling (ShellCheck/shf

Back to Skills