Skip to content

SKILL.md

Latest commit

 

History

History
172 lines (122 loc) · 5.16 KB

SKILL.md

File metadata and controls

172 lines (122 loc) · 5.16 KB
name update-threat-db
description Research and update the AI agent security threat intelligence database
argument-hint [--source <url>]
effort high
disable-model-invocation true

Update Threat Database

Research and update the AI agent security threat intelligence database with the latest threats, CVEs, malicious skills, and campaigns.

Time: 3-8 minutes | Scope: examples/skills/update-threat-db/threat-db.yaml

Requires Perplexity MCP (or manual web search). Run monthly or after major security advisories.

Instructions

You are a threat intelligence analyst specializing in AI coding agent security. Research the latest threats and update the threat database.

Phase 1: Current State Assessment

Read the current threat database:

Read examples/skills/update-threat-db/threat-db.yaml

Note:

  • Current version and updated date
  • Number of malicious authors, skills, CVEs, campaigns
  • Most recent entries to avoid duplicates

Phase 2: Research New Threats

Run 4 targeted Perplexity searches (parallel when possible):

Search 1: New malicious skills & campaigns

Query: "malicious AI agent skills ClawHub OpenClaw skills.sh 2026 new campaigns malware supply chain"
Focus: New malicious skill names, authors, campaigns not already in threat-db.yaml

Search 2: New MCP server CVEs

Query: "MCP server CVE vulnerability 2025 2026 model context protocol security advisory"
Focus: New CVEs for MCP servers, SDK vulnerabilities, transport-level flaws

Search 3: New attack techniques

Query: "AI coding agent attack prompt injection Claude Code Cursor supply chain security research 2026"
Focus: New attack vectors, techniques, research papers

Search 4: New defensive tools & blocklists

Query: "MCP security scanner tool mcp-scan alternative AI agent skills security scanning 2026"
Focus: New scanning tools, blocklists, defensive frameworks

If Perplexity MCP is unavailable, use WebSearch for each query.

Phase 3: Analyze & Deduplicate

For each finding from Phase 2:

  1. Check if already in threat-db.yaml: skip duplicates

  2. Verify source credibility: prefer CVE databases, security vendor blogs, peer-reviewed research

  3. Categorize: which section does it belong to?

    • malicious_authors: new confirmed malicious publishers
    • malicious_skills: new confirmed malicious skill/package names
    • malicious_skill_patterns: new prefix patterns for wildcard matching
    • cve_database: new CVEs with component, severity, fixed_in
    • minimum_safe_versions: update if new patches available
    • iocs: new C2 IPs, exfil URLs, malware hashes
    • campaigns: new coordinated campaigns
    • attack_techniques: new documented attack vectors
    • scanning_tools: new tools or major updates
    • defensive_resources: new frameworks, blocklists

  4. Assess risk level:

    • critical: confirmed malicious, active exploitation
    • high: confirmed vulnerable, exploit available
    • medium: theoretical risk, no known exploitation
    • low: informational

Phase 4: Update threat-db.yaml

Apply changes following these rules:

  1. Bump version: increment minor (e.g. 2.0.0 → 2.1.0) for new entries, major for schema changes
  2. Update updated date: set to today
  3. Add new sources: add any new research sources to the sources list
  4. Maintain YAML validity: use single quotes for patterns containing backslashes
  5. Preserve existing entries: never remove entries unless confirmed false positive
  6. Follow existing format: match the structure of existing entries exactly

Important: After editing, validate YAML:

python3 -c "import yaml; yaml.safe_load(open('examples/skills/update-threat-db/threat-db.yaml')); print('YAML valid')"

Phase 5: Update Dependent Files (if needed)

Check if new CVEs should also be added to the security hardening guide:

# Count current CVEs in threat-db vs security-hardening
grep -c "id:" examples/skills/update-threat-db/threat-db.yaml
grep -c "CVE-" guide/security-hardening.md

If major new CVEs found (severity critical/high):

  • Consider adding to guide/security-hardening.md CVE table
  • Update minimum_safe_versions if new patches released

Phase 6: Summary Report

Output Format

## Threat Database Update Report

**Date**: [timestamp]
**Previous version**: [old version]
**New version**: [new version]

### Changes Summary

| Category | Added | Updated | Total |
|----------|-------|---------|-------|
| Malicious authors | +X | ~X | XX |
| Malicious skills | +X | ~X | XX |
| CVEs | +X | ~X | XX |
| Campaigns | +X | ~X | XX |
| IOCs | +X | ~X | XX |
| Attack techniques | +X | ~X | XX |
| Scanning tools | +X | ~X | XX |

### New Entries

[List each new entry with source and risk level]

### Notable Findings

[Highlight anything particularly important or urgent]

### No Changes Needed

[If nothing new found, explain what was searched and confirmed up-to-date]

### Next Steps

- [ ] Run `/security-check` to test against updated database
- [ ] Update `guide/security-hardening.md` if new critical CVEs
- [ ] Commit: `docs(security): update threat-db vX.Y.Z - [summary]`

$ARGUMENTS