Documentation

Skills

LLM-guided interactive workflows that analyze vulnerabilities, assess risk, and propose remediation using AI.

Skills are LLM-guided interactive workflows invoked with /vulnetix:<skill-name>. Unlike commands (which are deterministic CLI wrappers that run a subcommand and display output), skills involve AI analysis powered by the Claude Sonnet model. They interpret data, assess risk, correlate findings across sources, and produce rich Markdown output with tables and Mermaid diagrams.

Every skill:

  • Reads and updates .vulnetix/memory.yaml to persist findings across sessions
  • Cross-references CycloneDX SBOMs in .vulnetix/scans/ when available
  • Integrates with GitHub Advanced Security (Dependabot, CodeQL, Secret Scanning) when gh CLI is authenticated
  • Suggests next steps by recommending other skills

Capabilities awareness

As of v1.3.0, every skill consults .vulnetix/capabilities.yaml before invoking the Vulnetix CLI. The session-start capabilities-detect hook probes which security tools (nuclei, snort, yara, semgrep, syft, grype, trivy, cosign, gh, package managers) are callable AND which signals the repo carries (manifests, Dockerfiles, IaC, CI configs). Skills then narrow their CLI calls and external integrations to only what the user can act on.

Skill Reference

Foundational

SkillInvocationPurpose
Capabilities Detect/vulnetix:capabilities-detectRe-probe system + repo signals; refresh .vulnetix/capabilities.yaml
Dashboard/vulnetix:dashboardView all tracked vulnerabilities and status

Core vulnerability intelligence

SkillInvocationPurpose
Vulnerability Lookup/vulnetix:vuln <id-or-package>Look up a vulnerability or list package vulns
Package Search/vulnetix:package-search <name>Search packages and assess security risk
Exploit Analysis/vulnetix:exploits <vuln-id>Analyze exploit intelligence and threat model
Exploits Search/vulnetix:exploits-search [flags]Search for exploited vulnerabilities
Fix Intelligence/vulnetix:fix <vuln-id>Get fix intelligence and apply remediation
Remediation Planning/vulnetix:remediation <vuln-id>Context-aware remediation plan

SOC / IR

SkillInvocationPurpose
SOC Triage/vulnetix:soc-triage [flags]Daily prioritized SOC pull intersected with this repo
IOC Pivot/vulnetix:ioc-pivot <vuln-id>IOCs + sightings timeline; optional STIX export
Detection Rules/vulnetix:detection-rules <vuln-id>Snort/YARA/Nuclei content for a CVE
ATT&CK Mapping/vulnetix:attack-mapping [vuln-id|--all-tracked]MITRE ATT&CK technique view
KEV Watch/vulnetix:kev-watch [flags]CISA/EU KEV intersected with installed deps
Threat Feed/vulnetix:threat-feedDaily threat-intel digest
Incident Respond/vulnetix:incident-respond <vuln-id>End-to-end IR playbook
Verify Fix/vulnetix:verify-fix <vuln-id>Confirm a fix landed (gated scan + targeted recheck)
Exploit Test/vulnetix:exploit-test <vuln-id> [--target URL]Generate a runnable exploit-validation command
VEX Publish/vulnetix:vex-publish [flags]Generate + optionally upload OpenVEX/CycloneDX VEX
Compliance Report/vulnetix:compliance-report [flags]SBOM + SPDX + SARIF + VEX bundle

SecDev / shift-left

SkillInvocationPurpose
SAST Scan/vulnetix:sast-scan [flags]Run SAST against changed files; augment with local Semgrep
Secret Scan/vulnetix:secret-scan [flags]Detect hardcoded secrets
Container Scan/vulnetix:container-scan [flags]Dockerfile/Containerfile + optional Trivy/Grype/Syft
IaC Scan/vulnetix:iac-scan [flags]Terraform/OpenTofu/Nix/k8s misconfig detection
License Check/vulnetix:license-check [flags]License conflicts + policy enforcement
Dep-Add Guard/vulnetix:dep-add-guard <package>Risk gate before adding a dependency
Dep Resolve/vulnetix:dep-resolve <package>Resolve version conflicts blocking a fix
Safe Version/vulnetix:safe-version <package>Newest safe version under a major-bump cap
EOL Check/vulnetix:eol-check [--strict]End-of-life runtimes/packages
Typosquat Check/vulnetix:typosquat-check [package|--installed]Malware / typosquat detection
Code Review (Security)/vulnetix:code-review-security [--pr N]Unified PR security review
Secure Code Write/vulnetix:secure-code-write [topic]Proactive coding guidance
SBOM Generate/vulnetix:sbom-generate [flags]CycloneDX/SPDX SBOMs with optional cosign

Skills vs Commands

SkillsCommands
ModelClaude Sonnet (LLM analysis)None (deterministic)
OutputInterpreted assessments, tables, Mermaid diagramsRaw structured data
MemoryReads and updates .vulnetix/memory.yamlNo memory interaction
GHAS integrationDependabot, CodeQL, Secret ScanningNone
InteractivityMay ask follow-up questions, propose editsDisplay only
Use caseRisk assessment, remediation planning, threat modelingQuick data lookups, scripting

Invocation

All skills use the colon syntax:

/vulnetix:<skill-name> <arguments>

For example:

/vulnetix:exploits CVE-2021-44228
/vulnetix:package-search express
/vulnetix:vuln lodash
Dashboard
Displays a comprehensive vulnerability status report from .vulnetix/memory.yaml, showing all tracked vulnerabilities grouped by status with suggested next actions.
Package Search
Search packages across ecosystems and get a comprehensive security risk assessment before adding dependencies.
Exploit Analysis
Analyze exploit intelligence for a vulnerability, build a threat model, compute CWSS priority scores, and assess repository impact.
Fix Intelligence
Fetch fix intelligence for a vulnerability and propose concrete remediation including manifest edits, breaking change analysis, and verification.
Vulnerability Lookup
Look up a vulnerability by ID for detailed intelligence, or query a package name to list all its known vulnerabilities.
Exploits Search
Search for vulnerabilities with known exploits across the VDB, filtered by ecosystem, severity, source, EPSS, and CISA KEV status.
Remediation Planning
Generate a context-aware remediation plan with registry fixes, distribution patches, workarounds, CWE guidance, and verification steps.
ATT&CK Mapping
Map vulnerabilities in this repo to MITRE ATT&CK techniques.
Capabilities Detect
Re-probe system binaries and repo signals; refresh .vulnetix/capabilities.yaml so other Pix surfaces know which Vulnetix CLI features are meaningful.
Code Review (Security)
PR-style security review composing SAST + SCA + secrets + container + IaC + license against the diff.
Compliance Report
Build a compliance bundle — CycloneDX SBOM, SPDX license report, SARIF findings, VEX, optional cosign signature.
Container Scan
Analyze Dockerfile / Containerfile / compose. Composes with Trivy / Grype / Syft when present.
Dep Resolve
Resolve dependency-version conflicts that block a fix. Finds a compatible safe version set across the dep graph.
Dep-Add Guard
Risk gate before adding a dependency. Composes vuln history, malware/typosquat, license, EOL, and maintainer health.
Detection Rules
Fetch Snort, Suricata, YARA, and Nuclei detection content for a vulnerability. Filters to the user's installed detection stack.
EOL Check
Flag end-of-life runtimes and packages.
Exploit Test
Generate a runnable exploit-validation command against a target. Uses Nuclei templates when available.
IaC Scan
Scan Terraform / OpenTofu / Nix / k8s manifests for misconfigurations.
Incident Respond
End-to-end SOC playbook for a CVE actively in the wild.
IOC Pivot
Pivot from a CVE to indicators of compromise (IPs, ASNs, geos) and an in-the-wild observation timeline. Optional STIX export.
KEV Watch
Cross-reference CISA/EU KEV catalogs with installed dependencies.
License Check
Detect license conflicts and policy violations. Outputs SPDX.
Safe Version
Find the safest currently-published version of a package — newest version free of known vulnerabilities, capped by major-bump policy.
SAST Scan
Run Vulnetix SAST against changed files (or whole repo). Augments with local Semgrep rules when present.
SBOM Generate
Generate CycloneDX and/or SPDX SBOMs; optional cosign signing.
Secret Scan
Detect hardcoded secrets in source. Pre-commit, on-demand, or staged-only modes.
Secure Code Write
Proactive secure-coding guidance scoped to the file or topic you're working on.
SOC Triage
Daily SOC triage feed prioritized for this repo.
Threat Feed
Daily threat-intel digest combining AI discoveries, in-the-wild exploitation, AI malware, exploit trends, and vendor trends.
Typosquat Check
Detect malware and typosquats among installed dependencies (or prospective additions).
Verify Fix
Re-scan after applying a fix; gates on exploit-maturity + severity. Confirms the patched manifest no longer carries the targeted CVE.
VEX Publish
Generate VEX statements (OpenVEX or CycloneDX VEX) from triage decisions; optional upload to Vulnetix and PR comment.