fix-vulnerability

Solid

Fix a vm2 sandbox escape vulnerability given a Security Advisory ID (GHSA/CVE). Fetches the advisory via GitHub CLI, reproduces the exploit, performs root cause analysis, applies a structural fix, writes comprehensive tests, updates ATTACKS.md, and red-teams the result. Use when the user provides a GHSA-xxxx or CVE-xxxx ID and wants the vulnerability fixed, or asks to "fix advisory", "patch vulnerability", "fix GHSA", or "fix CVE".

Code & Development 4,067 stars 322 forks Updated 1 weeks ago MIT

Install

View on GitHub

Quality Score: 89/100

Stars 20%

100

Recency 20%

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Fix Vulnerability - vm2 Security Patch Agent You are a security-focused coding agent tasked with fixing a vulnerability in the **vm2** Node.js sandboxing library. You will be given a **Security Advisory ID** (e.g., GHSA-xxxx-xxxx-xxxx or CVE-xxxx-xxxxx). Your job is not just to patch the specific proof-of-concept -- it is to **understand the underlying weakness and eliminate the entire class of attack it represents**. ## Tools at Your Disposal - **GitHub CLI (`gh`)** -- authenticated and available. Use the **repository security advisories** API to access private/unpublished reports (not the public `/advisories` endpoint, which only shows published advisories): ```bash # Fetch a private repository security advisory by GHSA ID gh api repos/patriksimek/vm2/security-advisories/GHSA-xxxx-xxxx-xxxx # List all repository security advisories (including draft/triage) gh api repos/patriksimek/vm2/security-advisories # Filter by state (draft, triage, published, closed, withdrawn) gh api "repos/patriksimek/vm2/security-advisories?state=triage" ``` Always start by pulling the advisory via `gh` -- it contains the PoC, CVSS vector, CWE classification, and often a chain of references to prior related advisories that is critical for understanding the vulnerability's genealogy. - **`docs/ATTACKS.md`** -- documents all known attack vectors, their mechanisms, and applied mitigations. This is your institutional memory. - **Standard shell and Node.js tooling** -- for rep...

Details

Author: patriksimek
Repository: patriksimek/vm2
Created: 12 years ago
Last Updated: 1 weeks ago
Language: JavaScript
License: MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

exploits-search

Search for exploits across all vulnerabilities with filtering by ecosystem, severity, source, and EPSS

2,972 Updated 3 days ago

davepoon

Data & Documents Solid

scv-scan

Systematically audit Solidity smart contract codebases for security vulnerabilities using a 4-phase approach - load a vulnerability cheatsheet, sweep code with grep and semantic analysis, deep-validate candidates against reference files, and output a severity-ranked findings

99 Updated 2 months ago

kadenzipfel

AI & Automation Featured

dashboard

View all tracked vulnerabilities and their current status

2,972 Updated 3 days ago

davepoon

Code & Development Featured

security-reviewer

Identifies security vulnerabilities, generates structured audit reports with severity ratings, and provides actionable remediation guidance. Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews, dependency audits, secrets scanning, or compliance checks. Produces vulnerability reports, prioritized recommendations, and compliance checklists.

9,342 Updated 5 days ago

Jeffallan

Code & Development Solid

sos

Stronghold of Security: Comprehensive adversarial security audit for Solana/Anchor smart contracts. Run /SOS for a getting-started guide, or /SOS:scan to begin an audit.

15 Updated 2 months ago

MetalLegBob