Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aeondave/vuln-research

Name: vuln-research
Author: aeondave

offensive-tools/exploits/vuln-research/SKILL.md

npx skillsauth add aeondave/malskill vuln-research

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Vuln Research

Exploit research workflow — from software version to working exploit.

Triage Order

Identify exact software + version
Search NVD for CVEs
Check CVSS score — prioritize Critical (9.0+) / High (7.0+)
Find PoC / exploit
Assess exploitability (auth required, network access, mitigations)
Run exploit or look for Metasploit module

Step 1 — Identify Version

# On target — common version fingerprinting
uname -r                          # Kernel
lsb_release -a                    # Linux distro
apache2 -v / nginx -v             # Web server
php --version                     # PHP
mysql --version                   # MySQL
python3 --version
dpkg -l | grep <package>          # Debian package version
rpm -qa | grep <package>          # RHEL/CentOS

Step 2 — CVE Lookup

NVD (authoritative)

https://nvd.nist.gov/vuln/search?query=<product>+<version>

CLI via nvdlib (Python)

pip install nvdlib
python3 -c "
import nvdlib
cves = nvdlib.searchCVE(keywordSearch='apache 2.4.49', limit=10)
for c in cves:
    print(c.id, c.score, c.descriptions[0].value[:120])
"

Via curl (NVD API v2)

curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=OpenSSH+8.2&resultsPerPage=5" \
  | jq '.vulnerabilities[].cve | {id: .id, score: .metrics.cvssMetricV31[0].cvssData.baseScore, desc: .descriptions[0].value[:100]}'

Step 3 — CVSS Triage

| Score | Severity | Action | |-------|----------|--------| | 9.0–10.0 | Critical | Exploit immediately — likely weaponized | | 7.0–8.9 | High | Check for PoC; often exploitable | | 4.0–6.9 | Medium | Exploit if conditions met (auth, local) | | 0.1–3.9 | Low | Deprioritize |

Key CVSS vectors to check:

AV:N (Network) — remotely exploitable; highest value
PR:N (No Privileges Required) — unauthenticated
UI:N (No User Interaction) — autonomous exploitation
S:C (Scope Changed) — impact beyond vulnerable component

Step 4 — Find Public Exploit / PoC

Sploitus (aggregates ExploitDB + PacketStorm + GitHub PoCs)

https://sploitus.com/?query=<CVE-ID>
https://sploitus.com/?query=<product>+<version>

PoC-in-GitHub

# Search GitHub for PoCs
curl -s "https://poc-in-github.motikan2010.net/api/v1/?cve_id=CVE-2021-44228" | jq '.pocs[]'

https://github.com/search?q=CVE-2021-44228+PoC&type=repositories&sort=updated

SearchSploit (offline)

searchsploit <product> <version>
searchsploit --cve <CVE-ID>

Exploit-DB (online)

https://www.exploit-db.com/search?cve=<CVE-ID>

Packetstorm

https://packetstormsecurity.com/search/?q=<CVE-ID>

Vulhub (Docker PoC environments)

https://github.com/vulhub/vulhub/tree/master/<product>/<CVE>
# Ready-to-deploy Docker lab for the vulnerability

Step 5 — Check Metasploit Module

msfconsole -q -x "search cve:<CVE-ID>; exit"
msfconsole -q -x "search type:exploit name:<product>; exit"

If a Metasploit module exists: prefer it over raw PoC — handles payload staging, bad chars, encoders.

Step 6 — Assess Exploitability

Before running:

# Check if target version is actually vulnerable
# Many PoCs have specific minor version requirements

# Linux: ASLR
cat /proc/sys/kernel/randomize_va_space   # 2=full, 1=partial, 0=off

# Linux: mitigations
cat /proc/cpuinfo | grep -E 'flags|bugs'  # spectre/meltdown status

# Windows: check patch level (if access)
systeminfo | findstr /B /C:"OS Version" /C:"Hotfix(s)"

# Network: verify service version matches
nmap -sV -p <port> <target>

Quick Reference: Notable CVEs by Category

| Category | CVE | Product | Impact | |----------|-----|---------|--------| | RCE | CVE-2021-44228 | Log4j 2.x | JNDI injection, AV:N/PR:N | | RCE | CVE-2021-41773 | Apache 2.4.49 | Path traversal + RCE | | LPE | CVE-2022-0847 | Linux kernel 5.8-5.16 | Dirty Pipe, overwrite RO files | | LPE | CVE-2021-4034 | Polkit pkexec | Local root | | RCE | CVE-2017-0144 | Windows SMB | EternalBlue, wormable | | RCE | CVE-2019-0708 | Windows RDP | BlueKeep, pre-auth | | RCE | CVE-2021-26855 | Exchange | ProxyLogon, SSRF | | Auth bypass | CVE-2020-1472 | Netlogon | Zerologon |

Resources

| File | When to load | |------|--------------| | references/sources.md | Full source list, API references, CVSS vector decoder |

aeondave/vuln-research

offensive-tools/exploits/vuln-research/SKILL.md

Auth/lab ref: Exploit research workflow: a target software version or CVE: triage CVSS severity, find public PoCs on NVD/sploitus/PoC-in-GitHub/ExploitDB, assess exploitability, and locate Metasploit modules.

4 stars

research

Updated Jun 8, 2026

$ install --global

skillsauth

npx skillsauth add aeondave/malskill vuln-research

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 8, 2026, 3:46 AM139.9s2 files scanned

SKILL.md

name:: vuln-research
description:: Auth/lab ref: Exploit research workflow: a target software version or CVE: triage CVSS severity, find public PoCs on NVD/sploitus/PoC-in-GitHub/ExploitDB, assess exploitability, and locate Metasploit modules.
license:: MIT
compatibility:: uses web sources and CLI tools (searchsploit, msfconsole, curl, gh).
author:: AeonDave
version:: 1.0

Vuln Research

Exploit research workflow — from software version to working exploit.

Triage Order

Identify exact software + version
Search NVD for CVEs
Check CVSS score — prioritize Critical (9.0+) / High (7.0+)
Find PoC / exploit
Assess exploitability (auth required, network access, mitigations)
Run exploit or look for Metasploit module

Step 1 — Identify Version

# On target — common version fingerprinting
uname -r                          # Kernel
lsb_release -a                    # Linux distro
apache2 -v / nginx -v             # Web server
php --version                     # PHP
mysql --version                   # MySQL
python3 --version
dpkg -l | grep <package>          # Debian package version
rpm -qa | grep <package>          # RHEL/CentOS

Step 2 — CVE Lookup

NVD (authoritative)

https://nvd.nist.gov/vuln/search?query=<product>+<version>

CLI via nvdlib (Python)

pip install nvdlib
python3 -c "
import nvdlib
cves = nvdlib.searchCVE(keywordSearch='apache 2.4.49', limit=10)
for c in cves:
    print(c.id, c.score, c.descriptions[0].value[:120])
"

Via curl (NVD API v2)

curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=OpenSSH+8.2&resultsPerPage=5" \
  | jq '.vulnerabilities[].cve | {id: .id, score: .metrics.cvssMetricV31[0].cvssData.baseScore, desc: .descriptions[0].value[:100]}'

Step 3 — CVSS Triage

Key CVSS vectors to check:

AV:N (Network) — remotely exploitable; highest value
PR:N (No Privileges Required) — unauthenticated
UI:N (No User Interaction) — autonomous exploitation
S:C (Scope Changed) — impact beyond vulnerable component

Step 4 — Find Public Exploit / PoC

Sploitus (aggregates ExploitDB + PacketStorm + GitHub PoCs)

https://sploitus.com/?query=<CVE-ID>
https://sploitus.com/?query=<product>+<version>

PoC-in-GitHub

# Search GitHub for PoCs
curl -s "https://poc-in-github.motikan2010.net/api/v1/?cve_id=CVE-2021-44228" | jq '.pocs[]'

https://github.com/search?q=CVE-2021-44228+PoC&type=repositories&sort=updated

SearchSploit (offline)

searchsploit <product> <version>
searchsploit --cve <CVE-ID>

Exploit-DB (online)

https://www.exploit-db.com/search?cve=<CVE-ID>

Packetstorm

https://packetstormsecurity.com/search/?q=<CVE-ID>

Vulhub (Docker PoC environments)

https://github.com/vulhub/vulhub/tree/master/<product>/<CVE>
# Ready-to-deploy Docker lab for the vulnerability

Step 5 — Check Metasploit Module

msfconsole -q -x "search cve:<CVE-ID>; exit"
msfconsole -q -x "search type:exploit name:<product>; exit"

If a Metasploit module exists: prefer it over raw PoC — handles payload staging, bad chars, encoders.

Step 6 — Assess Exploitability

Before running:

# Check if target version is actually vulnerable
# Many PoCs have specific minor version requirements

# Linux: ASLR
cat /proc/sys/kernel/randomize_va_space   # 2=full, 1=partial, 0=off

# Linux: mitigations
cat /proc/cpuinfo | grep -E 'flags|bugs'  # spectre/meltdown status

# Windows: check patch level (if access)
systeminfo | findstr /B /C:"OS Version" /C:"Hotfix(s)"

# Network: verify service version matches
nmap -sV -p <port> <target>

Quick Reference: Notable CVEs by Category

Resources

| File | When to load | |------|--------------| | references/sources.md | Full source list, API references, CVSS vector decoder |

Related Skills

aeondave/vibe-audit-technique

development

VerifiedTrustedCommunity

White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).

4SKILL.mdUpdated Jun 12, 2026

aeondave/vibe-audit-technique

aeondave/source-review-technique

development

VerifiedTrustedCommunity

Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.

4SKILL.mdUpdated Jun 12, 2026

aeondave/source-review-technique

aeondave/hardware-technique

development

VerifiedTrustedCommunity

Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.

4SKILL.mdUpdated Jun 12, 2026

aeondave/hardware-technique

aeondave/container-technique

devops

VerifiedTrustedCommunity

Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.

4SKILL.mdUpdated Jun 12, 2026

aeondave/container-technique

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aeondave/malskill.git

# Copy into Claude Code skills folder (global)
cp -r malskill/offensive-tools/exploits/vuln-research ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aeondave/malskill

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT