| name | Vulnerability Scanning & Assessment |
| description | Dependency auditing, CVE detection, configuration security review, CVSS scoring, and prioritized vulnerability reporting |
| version | 3.0.0 |
| author | Masriyan |
| tags | ["cybersecurity","vulnerability","scanning","cve","cvss","audit","assessment","dependency"] |
Vulnerability Scanning & Assessment
Purpose
Enable Claude to perform comprehensive vulnerability assessments by directly analyzing dependency files, configuration files, and scan output — then generating prioritized, actionable reports. Claude identifies vulnerabilities, calculates risk, and prescribes remediation with version specifics.
Activation Triggers
This skill activates when the user asks about:
- Scanning dependencies for known CVEs
- Auditing
requirements.txt, package.json, go.mod, pom.xml, Cargo.toml
- Reviewing server configurations for security issues
- CVSS scoring or severity calculation
- Vulnerability assessment or security audit reports
- Checking software versions against known exploits
- Configuration hardening for nginx, Apache, SSH, Docker, Kubernetes
- NVD, OSV, or CVE database queries
Prerequisites
pip install requests packaging jinja2 pyyaml
Optional enhanced tools:
nuclei — Template-based vulnerability scanner
trivy — Container and filesystem scanner
nmap with NSE scripts — Network vuln scanning
openvas — Full vulnerability management
Core Capabilities
1. Dependency Vulnerability Auditing
Claude can directly read and analyze dependency files:
When the user asks to audit dependencies:
- Read the dependency file using Claude's Read tool or ask the user to paste it
- Identify package manager from file format:
requirements.txt / Pipfile.lock / pyproject.toml → Python/pip
package.json / package-lock.json / yarn.lock → Node.js/npm
go.mod / go.sum → Go modules
pom.xml / build.gradle → Java/Maven/Gradle
Cargo.toml / Cargo.lock → Rust/Cargo
Gemfile.lock → Ruby/Bundler
composer.lock → PHP/Composer
- Extract exact versions for all direct and transitive dependencies
- Query vulnerability databases — Claude can search NVD API, OSV, and GitHub Advisory Database for each package+version combination
- Calculate CVSS v3.1 severity for each finding
- Check for available patches — identify the minimum safe version
- Generate prioritized remediation report
Use this command to run the automated audit:
python scripts/dependency_auditor.py --project-dir ./myapp --format json --output audit.json
python scripts/dependency_auditor.py --requirements requirements.txt --severity high,critical
Claude's native analysis — When running without scripts, analyze pasted dependency content directly:
- Flag packages with
>= , *, or missing version pins (supply chain risk)
- Identify known high-risk packages (log4j, spring-core, struts, etc.)
- Cross-reference with CISA KEV (Known Exploited Vulnerabilities) catalog
2. Configuration Security Auditing
Claude can directly read and analyze configuration files:
When the user asks to audit a configuration:
Nginx Audit Checklist
[ ] ssl_protocols — Must NOT include SSLv2, SSLv3, TLSv1, TLSv1.1
[ ] ssl_ciphers — Must not include RC4, DES, MD5, EXPORT ciphers
[ ] server_tokens — Should be 'off' (hides version)
[ ] add_header X-Frame-Options — Required (SAMEORIGIN or DENY)
[ ] add_header X-Content-Type-Options — Required (nosniff)
[ ] add_header Strict-Transport-Security — Required (min 1 year)
[ ] add_header Content-Security-Policy — Required
[ ] autoindex — Must be 'off' (prevents directory listing)
[ ] client_max_body_size — Should be set (prevents DoS)
[ ] access_log / error_log — Must be enabled
SSH (sshd_config) Audit Checklist
[ ] PermitRootLogin — Should be 'no' or 'prohibit-password'
[ ] PasswordAuthentication — Should be 'no' (key-only)
[ ] PermitEmptyPasswords — Must be 'no'
[ ] Protocol — Should be '2' only
[ ] Port — Consider non-default port
[ ] AllowUsers / AllowGroups — Explicit allowlist preferred
[ ] MaxAuthTries — Should be 3-5
[ ] LoginGraceTime — Should be 30-60s
[ ] ClientAliveInterval — Enable session timeout
[ ] X11Forwarding — Should be 'no' if unused
[ ] UsePAM — Review PAM configuration
Docker/Dockerfile Audit Checklist
[ ] USER — Must not run as root; add non-root user
[ ] Image tags — Must not use 'latest'; pin specific digest
[ ] COPY vs ADD — Prefer COPY; ADD has implicit extraction risks
[ ] Secrets — No RUN commands with passwords/tokens
[ ] Multi-stage builds — Minimize attack surface
[ ] HEALTHCHECK — Define health monitoring
[ ] .dockerignore — Exclude .env, keys, secrets
[ ] Read-only filesystem — Use --read-only where possible
Kubernetes YAML Audit Checklist
[ ] securityContext.runAsNonRoot — Must be true
[ ] securityContext.readOnlyRootFilesystem — Should be true
[ ] securityContext.allowPrivilegeEscalation — Must be false
[ ] capabilities — Drop ALL, add only required
[ ] resources.limits — CPU and memory limits required
[ ] NetworkPolicy — Restrict pod-to-pod communication
[ ] ServiceAccount — Disable automount if not needed
[ ] secrets — Use sealed secrets or external vaults
[ ] hostPID/hostIPC/hostNetwork — Must be false
[ ] privileged — Must never be true in production
3. CVSS v3.1 Scoring
When the user asks to calculate CVSS or assess severity:
Claude can calculate CVSS v3.1 scores from the vector string or from a vulnerability description:
CVSS v3.1 Metrics:
| Metric | Values | Description |
|---|
| Attack Vector (AV) | N/A/L/P | Network/Adjacent/Local/Physical |
| Attack Complexity (AC) | L/H | Low/High |
| Privileges Required (PR) | N/L/H | None/Low/High |
| User Interaction (UI) | N/R | None/Required |
| Scope (S) | U/C | Unchanged/Changed |
| Confidentiality (C) | N/L/H | None/Low/High |
| Integrity (I) | N/L/H | None/Low/High |
| Availability (A) | N/L/H | None/Low/High |
Severity Ranges:
| Score | Severity |
|---|
| 0.0 | None |
| 0.1–3.9 | Low |
| 4.0–6.9 | Medium |
| 7.0–8.9 | High |
| 9.0–10.0 | Critical |
Example calculation:
- Remote unauthenticated RCE:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H → 10.0 (Critical)
- Local privilege escalation:
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H → 7.8 (High)
python scripts/cvss_calculator.py --vector "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
4. Network Vulnerability Scanning Integration
When the user provides Nmap scan results or asks to scan for vulnerabilities:
- Parse Nmap XML/grepable output for open services and versions
- Map each service+version to known CVEs
- Flag services with default credentials (check CVE/common credential lists)
- Identify critical misconfigurations (anonymous FTP, open relay, telnet, etc.)
- Provide targeted Nmap NSE script commands for deeper testing:
nmap -sV --script vuln -p 80,443,22,21,3389 target.com
nmap -p 445 --script smb-vuln* target.com
nmap -p 443 --script ssl-enum-ciphers,ssl-heartbleed,ssl-poodle target.com
5. Vulnerability Report Generation
When the user asks for a vulnerability report:
Generate reports in this structure:
# Vulnerability Assessment Report
**Target:** [Target Name/IP Range]
**Date:** [Date]
**Scope:** [Authorized scope]
**Assessor:** [Name]
---
## Executive Summary
[2-3 sentences: what was tested, total findings by severity, top risk]
## Finding Summary
| Severity | Count | Examples |
|----------|-------|---------|
| Critical | 2 | CVE-2021-44228 (Log4Shell), Unauthenticated RCE |
| High | 5 | Outdated TLS, SQLi in /api/users |
| Medium | 12 | Missing security headers, verbose errors |
| Low | 8 | Information disclosure, weak ciphers |
| Info | 15 | Version disclosure, directory listing |
---
## Findings Detail
### CRITICAL-01: [Finding Title]
**CVSS:** 9.8 (Critical) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
**Affected:** [Package/Service] [Version]
**CVE:** [CVE-ID]
**Description:** [Clear technical description]
**Evidence:** [Proof the vulnerability exists]
**Remediation:** Upgrade to [Package] >= [SafeVersion]
**References:** [CVE link, advisory]
---
## Remediation Roadmap
| Priority | Action | Effort | Risk Reduction |
|----------|--------|--------|----------------|
| Immediate | Patch Log4j to 2.17.1+ | Low | Critical |
| This week | Upgrade express to 4.18.2 | Low | High |
| This month | Enable WAF rules | Medium | Medium |
Output Standards
Always produce findings with:
- CVE ID (where applicable)
- CVSS v3.1 score and vector
- Affected version and safe version
- PoC evidence (non-destructive confirmation only)
- Remediation steps with specific version numbers
- Compliance mapping (PCI-DSS, SOC2, CIS) where relevant
Script Reference
dependency_auditor.py
python scripts/dependency_auditor.py --project-dir ./myapp --format json --output audit.json
python scripts/dependency_auditor.py --requirements requirements.txt --severity high,critical
config_auditor.py
python scripts/config_auditor.py --type nginx --config /etc/nginx/nginx.conf --output audit.json
python scripts/config_auditor.py --type sshd --config /etc/ssh/sshd_config
python scripts/config_auditor.py --type dockerfile --config Dockerfile
cvss_calculator.py
python scripts/cvss_calculator.py --vector "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
python scripts/cvss_calculator.py --interactive
Skill Integration
| Condition | Next Skill |
|---|
| Vulnerabilities confirmed → develop PoC | → Skill 03 (Exploit Development) |
| Vulnerabilities found → apply fixes | → Skill 15 (Blue Team Defense) |
| Auto-ticket for SOC | → Skill 11 (CSOC Automation) |
| Discovered during recon | ← Skill 01 (Recon & OSINT) |
References
v3.0 Enhancements (2026 Update)
Risk-based prioritization beyond raw CVSS:
- CVSS 4.0 — score with the current standard (Base/Threat/Environmental/Supplemental); show the vector string and note when only v3.1 data exists.
- EPSS + CISA KEV — combine CVSS severity × EPSS exploit-probability × KEV membership. A medium-CVSS CVE that is in the CISA Known Exploited Vulnerabilities catalog or has high EPSS outranks a high-CVSS CVE with no exploitation signal. Always state "patch-first" order on this combined basis.
- SBOM + VEX — generate a CycloneDX/SPDX SBOM of the project and emit VEX statements (
affected / not_affected / fixed) so consumers know which CVEs are actually reachable.
- Reachability analysis — flag whether a vulnerable function is actually called (call-graph/import reachability) to cut false-positive noise from transitive deps.
- OSV.dev — query the OSV API for ecosystem-precise advisories (PyPI, npm, Go, crates, Maven) in addition to NVD.
Output rule: every finding row carries CVSS | EPSS | KEV(Y/N) | Reachable(Y/N/Unknown) | Fix.
Added references