菜单
Use when the user wants to analyze a CVE against a source code repository, analyze an SBOM file (SPDX or CycloneDX) for vulnerability exploitability, or analyze a CVE against a specific RPM package using the ExploitIQ service.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use when the user wants to list, filter, inspect, retry, or delete CVE analysis reports from the ExploitIQ service. Covers checking report status, reviewing past analyses, triaging results, retrying failures, or cleaning up old reports.
Use when the user wants to list, inspect, or delete products in the ExploitIQ service. Products group related CVE analysis reports for a software component.
| name | exploitiq-analyze |
| description | Use when the user wants to analyze a CVE against a source code repository, analyze an SBOM file (SPDX or CycloneDX) for vulnerability exploitability, or analyze a CVE against a specific RPM package using the ExploitIQ service. |
Submit a vulnerability analysis and retrieve results from the ExploitIQ service.
From the user's input, determine which type of analysis to perform:
Required parameters:
cveId — CVE ID (e.g., CVE-2024-1234)sourceRepo — Git repository URL (must be https://)commitId — Commit hash or branch/tag referenceIf any are missing, ask the user for them.
If the repo is private, ask the user for authentication:
userName — Git usernamesecretValue — Personal access token or SSH keyCall mcp__exploitiq__analyze_cve with the parameters.
ReportData{
"reportRequestId": {
"id": "<MongoDB ObjectId — use for retry/delete operations>",
"reportId": "<Scan ID — use for polling with get_cve_report_by_scan_id>"
},
"report": { ... }
}
Display after submission:
reportRequestId.idreportRequestId.reportIdRequired: a file path to an SBOM file on disk.
"spdxVersion" or extension is .spdx.json → SPDX"bomFormat" or extension is .cdx.json → CycloneDXbase64 -w0 <filepath>mcp__exploitiq__analyze_spdx_sbom or mcp__exploitiq__analyze_cyclonedx_sbom with:
fileContent — the base64-encoded stringcveId — (optional) if the user wants to filter to a specific CVEIf the repo referenced in the SBOM is private, ask for userName and secretValue.
ReportDataSame structure as Option A — contains reportRequestId.id and reportRequestId.reportId.
The SPDX upload creates a product (multi-component). The response is a generic object — look for an id field which is the Product ID. Use mcp__exploitiq__get_product with that ID to check status, or mcp__exploitiq__list_cve_reports with productId filter to find the individual component reports.
Required parameters:
cveId — CVE ID (e.g., CVE-2024-1234), must match CVE-YYYY-NNNN+ formatpackageName — RPM package name (e.g., openssl, curl, kernel)packageVersion — Package version (e.g., 1.1.1k)packageRelease — Package release string (e.g., 8.el9_9)Optional parameters:
packageArch — Architecture (default: x86_64). Valid values: x86_64, amd64, aarch64, arm64, ppc64le, s390xIf any required parameter is missing, ask the user for it.
Call mcp__exploitiq__analyze_rpm with the parameters.
This uses the RPM package checker pipeline, which performs a focused two-level investigation:
ReportDataSame structure as Option A — contains reportRequestId.id and reportRequestId.reportId.
If the user says yes:
sleep 30 via Bash)mcp__exploitiq__get_cve_report_by_scan_id with the scan ID (reportRequestId.reportId)ReportWithStatus object:
{
"report": { <FullReport object — see "FullReport Document Structure" below> },
"status": "completed" // One of: completed, queued, sent, expired, failed, pending, unknown
}
status field:
completed → present results (see "Presenting Results" below)failed or expired → offer to retry (see "Retry on Failure" below)sent, queued, pending) → go back to step 1sleep 30 via Bash)mcp__exploitiq__get_product with the product IDProductSummary (see exploitiq-products skill for structure)summary.productState — when all component reports are done, present the product summarymcp__exploitiq__list_cve_reports with productId filterThe report field inside ReportWithStatus is a raw MongoDB document (Record<string, any>). Fields may be absent depending on analysis state and backend version. Always check for existence before accessing nested fields.
report._id — MongoDB ObjectId (hex string), use for retry/delete
report.input — Scan and image input data
report.output — Analysis results
report.info — VDB and intel metadata
report.metadata — User-provided metadata (e.g., product_id, environment)
report.error — Present when analysis failed: { message, type }
report.input)report.input.scan.id — Scan ID
report.input.scan.type — "image" or "source"
report.input.scan.started_at — ISO timestamp
report.input.scan.completed_at — ISO timestamp (empty string if not completed)
report.input.scan.vulns[] — Array of vulnerability info:
.vuln_id — CVE ID (e.g., "CVE-2024-1001")
.description — Vulnerability description
.score — CVSS score (number)
.severity — "CRITICAL", "HIGH", "MEDIUM", "LOW"
.published_date — Date string
.last_modified_date — Date string
.url — CVE URL
.package — Package identifier
.package_name — Package name
.package_version — Package version
.package_type — Package ecosystem type (e.g., "npm", "maven")
report.input.image.analysis_type — "image" or "source"
report.input.image.ecosystem — Programming language ecosystem (e.g., "nodejs", "java")
report.input.image.name — Image/repo name
report.input.image.tag — Image tag or commit hash
report.input.image.source_info[] — Array of source info:
.type — "git" or "code"
.git_repo — Repository URL
.ref — Git reference (branch/tag/commit)
report.output)The analysis results are in report.output.analysis[] — an array with one entry per vulnerability analyzed:
report.output.analysis[i].vuln_id — CVE ID for this analysis
report.output.analysis[i].justification — Verdict object:
.status — "TRUE" (vulnerable), "FALSE" (not vulnerable), or "UNKNOWN"
.label — "vulnerable", "not_vulnerable", or "uncertain"
.reason — Explanation of the verdict (markdown text)
report.output.analysis[i].summary — Summary text of the analysis conclusion (markdown)
report.output.analysis[i].checklist[] — Array of checklist items:
.input — The checklist question
.response — The answer/finding
.intermediate_steps — Intermediate analysis steps (string or null)
report.output.analysis[i].cvss — CVSS score info (may be null):
.score — Score as string (e.g., "8.7")
.vector_string — CVSS vector (e.g., "CVSS:3.1/AV:N/AC:H/...")
report.output.analysis[i].intel_score — Intel reliability score (number or null)
report.output.vex — VEX data (object or null)
report.info)report.info.vdb.version — VDB version
report.info.intel — Intel data (array of IntelEntry or legacy { score } object)
When a report is completed, extract fields from report.output.analysis[i] for each vulnerability and present:
CVE: report.input.scan.vulns[0].vuln_id
Package: report.input.scan.vulns[0].package_name vreport.input.scan.vulns[0].package_version
Ecosystem: report.input.image.ecosystem
Repository: report.input.image.source_info[0].git_repo
CVSS Score: analysis[i].cvss.score (analysis[i].cvss.vector_string)
Verdict: analysis[i].justification.status — display as Vulnerable (TRUE), Not Vulnerable (FALSE), or Uncertain (UNKNOWN)
analysis[i].justification.reason
analysis[i].summary
| # | Question | Answer |
|---|---|---|
| 1 | checklist[0].input | checklist[0].response |
| ... | ... | ... |
If intermediate_steps is present and non-null for any item, show it below the table under "Investigation Details".
For RPM package analyses (Option C), the report may also contain these fields in each vulnerability result (report.output.analysis[i]):
is_target_package_affected — "yes", "no", or "unknown" — whether the target RPM package is affected by the CVEis_target_package_fixed — "yes", "no", or "unknown" — whether a fix is in place for the target packageconclusion_reason — detailed explanation of the vulnerability determinationWhen present, display these after the verdict:
Package Affected: is_target_package_affected
Fix in Place: is_target_package_fixed
Conclusion: conclusion_reason
If any field is missing or empty, note it as "Not available".
If report.error is present, show:
report.error.message (report.error.type)If the report status is failed or expired:
mcp__exploitiq__retry_cve_analysis with the report's MongoDB ObjectId (the _id field from the report document, NOT the scan ID). This is a 24-character hex string.