Run any Skill in Manus with one click

$pwd:

securin-cve-enrichment

Name: Securin Cve Enrichment
Author: securin-public

// Use this skill when the user asks to "enrich this CVE", "tell me about CVE-XXXX", "what's the threat intel on this vulnerability", "look up this CVE", "is this CVE exploited in the wild", "CISA KEV status of...", or wants a global intelligence report on a specific vulnerability from Securin Core — independent of their environment. For "am I affected by this CVE" use securin-threat-correlation instead. Requires the Securin Platform MCP server.

Run Skill in Manus

$ git log --oneline --stat

stars:0

forks:0

updated:May 6, 2026 at 09:04

File Explorer

17 files

SKILL.md

readonly

package.json

"author": "securin-public"

"repository": "securin-public/securin-skills"

View GitHub Repository

$ install --globalskills.sh

$ download --local

Run Skill in Manus

[HINT] Download the complete skill directory including SKILL.md and all related files

Run any Skill with one click

name

securin-cve-enrichment

description

Use this skill when the user asks to "enrich this CVE", "tell me about CVE-XXXX", "what's the threat intel on this vulnerability", "look up this CVE", "is this CVE exploited in the wild", "CISA KEV status of...", or wants a global intelligence report on a specific vulnerability from Securin Core — independent of their environment. For "am I affected by this CVE" use securin-threat-correlation instead. Requires the Securin Platform MCP server.

CVE Enrichment (Securin Core)

Purpose

Produce a complete global intelligence picture for a specific CVE or vulnerability — sourced from Securin Core's vulnerability & threat intelligence indices. This skill is about the vulnerability itself (severity, exploitation, threat actor attribution, affected products) and does not query the user's environment.

Pair skills:

"Am I affected by this?" → use securin-threat-correlation.
"How do I fix it?" → use securin-remediation-guidance.

When to use

"Enrich CVE-2024-3400"
"Tell me everything about this CVE"
"Is this vulnerability being exploited?"
"What's the CISA KEV status of…"
"Who's exploiting CVE-XXXX?" (via searchThreatActorData + riskIndex.contributingFactors[])
"What ransomware families use this CVE?" (via riskIndex.contributingFactors[] commentary + web search)

Pre-flight

Step 0 — Account preflight (CC-1)

See _shared/account-preflight.md. Even though this skill queries the global Core indices (not account-scoped data), the preflight still runs so that deep links (CC-2) and any cross-referenced environment data use the correct account context.

Suggested tools

Pre-flight (CC-1, see shared doc)

getUserProfile / listAccount — resolve accessible accounts
getEffectiveAccess / getEffectiveAccessWorkspaces — validate per-resource access (hasActorAccessToResource is only for Views/Dashboards/Tags/Widgets)
getAccountDetails — enrich account-ids for the picker

Core intelligence

searchVulnerabilityData — core CVE record (CVSS, EPSS, Securin Risk Index/SVRS, CISA KEV, published/modified dates, CWE, affected products, exploit counts)
searchThreatActorData — threat actors exploiting this CVE. Pass fields: ['threatActor'] in the request.
searchWeaknessData — CWE context, root-cause classification
searchComponentData — affected software components / package versions
getProducts / getVendors — product catalog lookup for affected-product enrichment
getApiFields with entityType: ["VULNERABILITY"] — field discovery
createDeepLink / getDeepLink — platform URLs (see _shared/deep-links.md)
Web search (built-in) — vendor advisory, PoC status, security news

Workflow

Step 1 — Normalize the subject

CVE ID format: CVE-YYYY-NNNNN. Normalize case, strip whitespace.
Vulnerability name (no CVE): use it as a text query to searchVulnerabilityData via the name/alias fields; ask the user to confirm the match.

Step 2 — Parallel Core queries

Run these in parallel for latency:

Query	Purpose
`searchVulnerabilityData` filter: `vulnerabilityId = 'CVE-XXXX'`	Primary vuln record — also surfaces `riskIndex.contributingFactors[]` and `riskIndex.changeLog[]` with threat/ransomware commentary
`searchThreatActorData` filter: `mappedAttributes.cveIds = 'CVE-XXXX'`, `fields: ['threatActor']`	Actor attribution (bare-path FQL: `mappedAttributes.cveIds`, not `threatActor.mappedAttributes.cveIds`)
`searchWeaknessData` filter: joined on CWE from vuln record	CWE context (run after step 2 primary completes, or parallel if CWE is known)
Web search	Ransomware / malware / campaign linkage via `riskIndex.contributingFactors[]` and web search

Namespace note: no vulnerabilities. prefix inside searchVulnerabilityData — use bare field paths (vulnerabilityId, not vulnerabilities.id). See _shared/fql-grammar.md.

Step 3 — Enrich affected products

From the vuln record's affectedProducts[] (or equivalent), call getProducts / searchComponentData to expand CPE strings into human-readable product+version rows.

Step 4 — Web search for vendor advisory + PoC

Search the web for:

The vendor advisory URL (e.g., site:paloaltonetworks.com CVE-2024-3400).
Public PoC status (GitHub, Exploit-DB).
Security news / exploitation timeline.

Read the content of the advisory — do not just link it. Extract: fixed version, disclosure timeline, known workarounds.

Step 5 — Generate deep links (CC-2)

Call createDeepLink for:

The vulnerability detail view (platform's vulnerability page for this CVE).
Filtered lists for any affected product / threat-actor / ransomware you mention.

See _shared/deep-links.md.

Step 6 — Synthesize report

Use the 7-section structure below. Every section that names an entity carries a deep link.

Response structure

## CVE-XXXX-YYYY — <title>

**Verdict:** <Critical / High / Medium / Low — KEV: yes/no — actively exploited: yes/no>

### 1. Identity
- CVE ID, published, modified, CWE, vendor
- [View on Securin Platform](<createDeepLink URL>)

### 2. Severity & Scoring
- CVSS v3: base / vector
- EPSS: probability
- Securin Risk Index / SVRS: score + severity band
- (interpretation — see references/risk-scoring.md)

### 3. Exploit Landscape
- CISA KEV: yes/no + date added
- Exploited in the wild: yes/no (source)
- Public PoCs: count + notable repos
- Exploit maturity: Functional / Proof-of-Concept / Unproven

### 4. Threat Actor Attribution
| Actor | Motivation | Recent activity | Link |
|---|---|---|---|
| … | … | … | [View](<deep link>) |

### 5. Ransomware / Campaign Links
| Family / Campaign | First seen | Notes | Link |
|---|---|---|---|
| … | … | … | [View](<deep link>) |

### 6. Affected Products
| Vendor | Product | Affected versions | Fixed in | Link |
|---|---|---|---|---|
| … | … | … | … | [View](<deep link>) |

### 7. References
- Vendor advisory (quote the remediation steps)
- NVD entry
- CISA KEV entry (if applicable)
- Notable news / blog posts

### Next steps
- "Check if you're affected" → use **securin-threat-correlation**
- "Plan remediation" → use **securin-remediation-guidance**

Scope guard (CC-3)

If the user asks "am I affected" or "show me my exposures to this CVE", stop and hand off to securin-threat-correlation. This skill is strictly global intel.

If the user asks "how do I fix this", hand off to securin-remediation-guidance.

Edge cases

CVE not found in Core: some very new CVEs may not be indexed yet. Tell the user, fall back to web search, and offer to re-run later.
Reserved / rejected CVE: searchVulnerabilityData may return a record with minimal fields. Report what's available and flag status.
Non-CVE vulnerability (vendor-specific ID): accept the vendor ID, query by name, surface the record but note no CVE mapping.
Multiple matches on name search: ask the user to pick which CVE.

Visual output (CC-4)

When this skill produces aggregated or multi-row data (counts, trends, distributions, comparisons, single-CVE reports), emit a chart/graph/infographic in the Securin brand palette (#712880 / #453983 / #542ade / #987bf7 / #d7cbfb), Lato font, light theme, with the Securin logo. Default colormap uses the monotone gradient defined in _shared/brand.md. Offer customization after delivery; never default to a different brand.

References

Risk Scoring Interpretation — how to read SVRS / EPSS / CISA KEV together.
Shared: Account Preflight
Shared: Deep Links
Shared: FQL Grammar
Shared: Sorting Rules
Shared: Brand & Visual Communication

name

securin-cve-enrichment

description

CVE Enrichment (Securin Core)

Purpose

Pair skills:

"Am I affected by this?" → use securin-threat-correlation.
"How do I fix it?" → use securin-remediation-guidance.

When to use

"Enrich CVE-2024-3400"
"Tell me everything about this CVE"
"Is this vulnerability being exploited?"
"What's the CISA KEV status of…"
"Who's exploiting CVE-XXXX?" (via searchThreatActorData + riskIndex.contributingFactors[])
"What ransomware families use this CVE?" (via riskIndex.contributingFactors[] commentary + web search)

Pre-flight

Step 0 — Account preflight (CC-1)

Suggested tools

Pre-flight (CC-1, see shared doc)

getUserProfile / listAccount — resolve accessible accounts
getEffectiveAccess / getEffectiveAccessWorkspaces — validate per-resource access (hasActorAccessToResource is only for Views/Dashboards/Tags/Widgets)
getAccountDetails — enrich account-ids for the picker

Core intelligence

searchVulnerabilityData — core CVE record (CVSS, EPSS, Securin Risk Index/SVRS, CISA KEV, published/modified dates, CWE, affected products, exploit counts)
searchThreatActorData — threat actors exploiting this CVE. Pass fields: ['threatActor'] in the request.
searchWeaknessData — CWE context, root-cause classification
searchComponentData — affected software components / package versions
getProducts / getVendors — product catalog lookup for affected-product enrichment
getApiFields with entityType: ["VULNERABILITY"] — field discovery
createDeepLink / getDeepLink — platform URLs (see _shared/deep-links.md)
Web search (built-in) — vendor advisory, PoC status, security news

Workflow

Step 1 — Normalize the subject

CVE ID format: CVE-YYYY-NNNNN. Normalize case, strip whitespace.
Vulnerability name (no CVE): use it as a text query to searchVulnerabilityData via the name/alias fields; ask the user to confirm the match.

Step 2 — Parallel Core queries

Run these in parallel for latency:

Query	Purpose
`searchVulnerabilityData` filter: `vulnerabilityId = 'CVE-XXXX'`	Primary vuln record — also surfaces `riskIndex.contributingFactors[]` and `riskIndex.changeLog[]` with threat/ransomware commentary
`searchThreatActorData` filter: `mappedAttributes.cveIds = 'CVE-XXXX'`, `fields: ['threatActor']`	Actor attribution (bare-path FQL: `mappedAttributes.cveIds`, not `threatActor.mappedAttributes.cveIds`)
`searchWeaknessData` filter: joined on CWE from vuln record	CWE context (run after step 2 primary completes, or parallel if CWE is known)
Web search	Ransomware / malware / campaign linkage via `riskIndex.contributingFactors[]` and web search

Namespace note: no vulnerabilities. prefix inside searchVulnerabilityData — use bare field paths (vulnerabilityId, not vulnerabilities.id). See _shared/fql-grammar.md.

Step 3 — Enrich affected products

From the vuln record's affectedProducts[] (or equivalent), call getProducts / searchComponentData to expand CPE strings into human-readable product+version rows.

Step 4 — Web search for vendor advisory + PoC

Search the web for:

The vendor advisory URL (e.g., site:paloaltonetworks.com CVE-2024-3400).
Public PoC status (GitHub, Exploit-DB).
Security news / exploitation timeline.

Read the content of the advisory — do not just link it. Extract: fixed version, disclosure timeline, known workarounds.

Step 5 — Generate deep links (CC-2)

Call createDeepLink for:

The vulnerability detail view (platform's vulnerability page for this CVE).
Filtered lists for any affected product / threat-actor / ransomware you mention.

See _shared/deep-links.md.

Step 6 — Synthesize report

Use the 7-section structure below. Every section that names an entity carries a deep link.

Response structure

## CVE-XXXX-YYYY — <title>

**Verdict:** <Critical / High / Medium / Low — KEV: yes/no — actively exploited: yes/no>

### 1. Identity
- CVE ID, published, modified, CWE, vendor
- [View on Securin Platform](<createDeepLink URL>)

### 2. Severity & Scoring
- CVSS v3: base / vector
- EPSS: probability
- Securin Risk Index / SVRS: score + severity band
- (interpretation — see references/risk-scoring.md)

### 3. Exploit Landscape
- CISA KEV: yes/no + date added
- Exploited in the wild: yes/no (source)
- Public PoCs: count + notable repos
- Exploit maturity: Functional / Proof-of-Concept / Unproven

### 4. Threat Actor Attribution
| Actor | Motivation | Recent activity | Link |
|---|---|---|---|
| … | … | … | [View](<deep link>) |

### 5. Ransomware / Campaign Links
| Family / Campaign | First seen | Notes | Link |
|---|---|---|---|
| … | … | … | [View](<deep link>) |

### 6. Affected Products
| Vendor | Product | Affected versions | Fixed in | Link |
|---|---|---|---|---|
| … | … | … | … | [View](<deep link>) |

### 7. References
- Vendor advisory (quote the remediation steps)
- NVD entry
- CISA KEV entry (if applicable)
- Notable news / blog posts

### Next steps
- "Check if you're affected" → use **securin-threat-correlation**
- "Plan remediation" → use **securin-remediation-guidance**

Scope guard (CC-3)

If the user asks "am I affected" or "show me my exposures to this CVE", stop and hand off to securin-threat-correlation. This skill is strictly global intel.

If the user asks "how do I fix this", hand off to securin-remediation-guidance.

Edge cases

CVE not found in Core: some very new CVEs may not be indexed yet. Tell the user, fall back to web search, and offer to re-run later.
Reserved / rejected CVE: searchVulnerabilityData may return a record with minimal fields. Report what's available and flag status.
Non-CVE vulnerability (vendor-specific ID): accept the vendor ID, query by name, surface the record but note no CVE mapping.
Multiple matches on name search: ask the user to pick which CVE.

Visual output (CC-4)

References

Risk Scoring Interpretation — how to read SVRS / EPSS / CISA KEV together.
Shared: Account Preflight
Shared: Deep Links
Shared: FQL Grammar
Shared: Sorting Rules
Shared: Brand & Visual Communication