fix-vulnerability

Solid

Fix a vm2 sandbox escape vulnerability given a Security Advisory ID (GHSA/CVE). Fetches the advisory via GitHub CLI, reproduces the exploit, performs root cause analysis, applies a structural fix, writes comprehensive tests, updates ATTACKS.md, and red-teams the result. Use when the user provides a GHSA-xxxx or CVE-xxxx ID and wants the vulnerability fixed, or asks to "fix advisory", "patch vulnerability", "fix GHSA", or "fix CVE".

Code & Development 4,071 stars 323 forks Updated 2 weeks ago MIT

Install

View on GitHub

Quality Score: 89/100

Stars 20%

100

Recency 20%

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Fix Vulnerability - vm2 Security Patch Agent You are a security-focused coding agent tasked with fixing a vulnerability in the **vm2** Node.js sandboxing library. You will be given a **Security Advisory ID** (e.g., GHSA-xxxx-xxxx-xxxx or CVE-xxxx-xxxxx). Your job is not just to patch the specific proof-of-concept -- it is to **understand the underlying weakness and eliminate the entire class of attack it represents**. ## Tools at Your Disposal - **GitHub CLI (`gh`)** -- authenticated and available. Use the **repository security advisories** API to access private/unpublished reports (not the public `/advisories` endpoint, which only shows published advisories): ```bash # Fetch a private repository security advisory by GHSA ID gh api repos/patriksimek/vm2/security-advisories/GHSA-xxxx-xxxx-xxxx # List all repository security advisories (including draft/triage) gh api repos/patriksimek/vm2/security-advisories # Filter by state (draft, triage, published, closed, withdrawn) gh api "repos/patriksimek/vm2/security-advisories?state=triage" ``` Always start by pulling the advisory via `gh` -- it contains the PoC, CVSS vector, CWE classification, and often a chain of references to prior related advisories that is critical for understanding the vulnerability's genealogy. - **`docs/ATTACKS.md`** -- documents all known attack vectors, their mechanisms, and applied mitigations. This is your institutional memory. - **Standard shell and Node.js tooling** -- for rep...

Details

Author: patriksimek
Repository: patriksimek/vm2
Created: 12 years ago
Last Updated: 2 weeks ago
Language: JavaScript
License: MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

advisory-mining

Mine GitHub Security Advisories and CVE databases for incomplete fixes, finding variant vulnerabilities in patched code or similar patterns in related packages.

0 Updated today

Liaabnormal676

AI & Automation Featured

exploits

Analyze exploit intelligence for a vulnerability against the current repository

2,996 Updated yesterday

davepoon

AI & Automation Featured

fix

Get fix intelligence for a vulnerability and propose concrete remediation for the current repository

2,996 Updated yesterday

davepoon

AI & Automation Solid

vulnerability-scanner

Security vulnerability scanning for dependencies and code, with CVE database checking and risk assessment

1,160 Updated today

a5c-ai

AI & Automation Listed

blue-team-fix

Defensive response to red team security findings — analyze each vulnerability, propose a targeted fix, and add a test that covers the fix. Use when the user has a security finding list (from red-team-check or a manual audit) and wants to fix the vulnerabilities. Produces: root cause analysis, code fix, and test. Does not auto-apply fixes — proposes and waits for user approval per fix.

3 Updated today

phamlongh230-lgtm