duriandurino/vuln
vuln/SKILL.md
Vulnerability analysis and CVE matching for penetration testing. Use when: user asks to check for vulnerabilities, match CVEs against service versions, analyze scan results for weaknesses, research exploitability, assess risk of discovered services, or identify known vulnerabilities. This is the analysis phase — no exploitation yet. NOT for: active scanning (use enum skill), exploitation (use exploit skill), or post-exploitation (use post skill).
testing
Updated Apr 28, 2026
$ install --global
skillsauthnpx skillsauth add duriandurino/openclawrino vulnInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 4:59 AM144.9s4 files scanned
SKILL.md
- name:
- vuln
- description:
- Vulnerability analysis and CVE matching for penetration testing. Use when: user asks to check for vulnerabilities, match CVEs against service versions, analyze scan results for weaknesses, research exploitability, assess risk of discovered services, or identify known vulnerabilities. This is the analysis phase — no exploitation yet. NOT for: active scanning (use enum skill), exploitation (use exploit skill), or post-exploitation (use post skill).
- metadata:
- { "openclaw": { "emoji": "🎯", "requires": { "bins": ["nmap"] } } }
Vulnerability Analysis Skill
Analyze discovered services and versions against known CVEs. Identify what's exploitable before attempting exploitation.
When to Use
✅ USE this skill when:
- "Check for vulnerabilities on this host"
- "What CVEs affect OpenSSH 8.2p1?"
- "Analyze these scan results for known weaknesses"
- "Is this service exploitable?"
- "Run vulnerability scripts against this target"
- "Research exploitability of what we found"
- "What's the risk of running this version?"
When NOT to Use
❌ DON'T use this skill when:
- Still gathering service info → use enum skill
- Ready to exploit → use exploit skill
- Post-compromise work → use post skill
- Passive recon → use recon skill
Automation-First Workflow
Prefer the standardized wrappers under scripts/ before doing one-off research commands.
Recommended Default Profile
For web-facing service analysis with parsed enum artifacts:
python3 scripts/orchestration/run_vuln_profile.py \
--profile vuln-web-service \
--target <TARGET-OR-URL> \
--engagement <target-name> \
--input <parsed-enum-json>
Step 1 — Review Parsed Enum Results
Start from the structured enum artifacts when available:
cat engagements/<target>/enum/parsed/*.json
cat engagements/<target>/enum/summaries/*.md
Step 2 — Version-to-CVE Candidate Mapping
python3 scripts/vuln/cve-mapping/map_versions_to_cves.py \
--input <parsed-enum-json> \
--engagement <target-name>
Step 3 — Searchsploit Automation
scripts/vuln/cve-mapping/searchsploit_auto.sh \
--input <parsed-enum-json> \
--engagement <target-name>
Step 4 — Web Baseline Checks
scripts/vuln/web/web_baseline.sh --target <TARGET-OR-URL> --engagement <target-name> --safe
Legacy / Manual Research
Use manual commands when wrappers do not cover the case or you need deeper confirmation:
# All vuln scripts against discovered ports
nmap -sV --script vuln -p <PORTS> <TARGET>
# Specific vulnerability checks
nmap -sV --script ssl-heartbleed,ssl-poodle,http-shellshock,smb-vuln-ms17-010 -p <PORTS> <TARGET>
# Direct searchsploit use
searchsploit openssh 8.2
searchsploit vsftpd 3.0.3
# Direct CVE database lookups
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=openssh+8.2&resultsPerPage=5"
Step 5 — Risk Assessment
For each identified vulnerability, assess:
| Factor | Question | |--------|----------| | Exploitability | Is there a public exploit? How complex? | | Access level | What access is needed? (local, remote, unauthenticated) | | Impact | What's the worst-case outcome? (RCE, DoS, info leak) | | Affected version | Is the target version confirmed vulnerable? | | Mitigations | Are there any mitigating controls in place? |
CVE Matching from Versions
When a service version is identified, cross-reference with known CVEs:
# Automated version-to-CVE mapping
python3 scripts/cve_lookup.py --service openssh --version "8.2p1"
python3 scripts/cve_lookup.py --service vsftpd --version "3.0.3"
python3 scripts/cve_lookup.py --file engagements/<target>/enum/enum-<target>-*.json
Vulnerability Classification
| Category | Examples | |----------|---------| | Remote Code Execution | CVE-2024-6387 (regreSSHion), Shellshock | | Authentication Bypass | Default creds, auth bypass in web apps | | Privilege Escalation | Local privesc via SUID, kernel exploits | | Information Disclosure | Directory traversal, info leak in headers | | Denial of Service | Network-level DoS, resource exhaustion | | Injection | SQLi, command injection, XSS |
NSE Script Categories
| Category | What it checks |
|----------|---------------|
| vuln | Known CVEs with PoC |
| auth | Authentication issues |
| default | Default settings/credentials |
| intrusive | May disrupt service |
| safe | Non-intrusive checks |
Output Format
Document findings in engagements/<target>/vuln/ following the workspace engagement structure. The orchestrator will specify the target name. Preserve original filenames. NEVER create ad-hoc directories.
# Vulnerability Analysis — <target>
## Services Analyzed
| Port | Service | Version | Status |
|------|---------|---------|--------|
| 22 | ssh | OpenSSH 8.2p1 | VULNERABLE — CVE-2024-6387 |
| 80 | http | Apache 2.4.41 | OK (but missing headers) |
## Findings
### CVE-2024-6387 — regreSSHion
- **CVSS:** 9.8 (Critical)
- **Affected:** OpenSSH 8.2p1-9.6p1
- **Exploit:** Public, reliable RCE as root
- **Exploitable:** YES
- **Notes:** Signal handler race condition, unauthenticated RCE
Decision Tree
Service + Version identified
│
├── searchsploit returns results?
│ ├── YES → Document CVE, check exploit availability
│ └── NO → Check NSE vuln scripts
│
├── NSE vuln scripts flag it?
│ ├── YES → Confirm with CVE database
│ └── NO → Check version against NVD
│
└── Any confirmed vulns?
├── YES → Prioritize for exploitation (next phase)
└── NO → Document as "no known CVEs" — note for manual testing
testing
Related Skills
duriandurino/vuln-phase-essentials
development
VerifiedTrustedCommunity
Methodology and decision framework for the penetration testing vulnerability phase. Use when: validating scanner output, distinguishing confirmed vulnerabilities from hypotheses, explaining CVE/CWE/CVSS, prioritizing findings with KEV/EPSS/business context, guiding vuln-analysis workflow, or reinforcing evidence-backed reporting during the vulnerability phase. NOT for: initial recon or active enumeration, hands-on exploitation, post-exploitation, or replacing the specialized vuln skill's concrete checks.
SKILL.mdUpdated Apr 15, 2026
duriandurino/slides-cog
development
VerifiedTrustedCommunity
Great slides need two things: content worth presenting and design worth looking at. #1 on DeepResearch Bench (Feb 2026) — CellCog researches and fills content mindfully from minimal prompts, no filler. State-of-the-art PDF generation for presentations, pitch decks, keynotes, and slideshows you can present as-is. Requires cellcog skill for SDK. If cellcog is unavailable, use gog slides as fallback (Google Workspace).
SKILL.mdUpdated Apr 15, 2026
duriandurino/report-phase-essentials
development
VerifiedTrustedCommunity
Methodology and quality framework for the penetration testing report phase. Use when: writing or QA-ing pentest reports, improving executive and technical readability, enforcing evidence completeness, adding remediation and retest guidance, including cleanup/restoration and residual risk, or securing report packaging and delivery. NOT for: running phase-specific testing tasks or replacing the specialized reporting implementation/publishing workflow.
SKILL.mdUpdated Apr 15, 2026
duriandurino/presentation
development
VerifiedTrustedCommunity
Generate pentest presentation slides from engagement findings. Use when: user asks for slides, presentation deck, slide count specified, 'make a presentation', 'create slides', or wants a talk/showcase format from pentest reports. NOT for: writing the full technical report (use reporting skill), raw data collection, or non-security presentations.
SKILL.mdUpdated Apr 15, 2026