cve-report-writer
GitHub基于验证发现、代码引用和复现步骤,生成对齐的英文、中文漏洞报告及CVE提交辅助Markdown文件。确保事实一致,严格遵循模板结构,包含核心漏洞路径和可复现PoC,适用于公开Issue或私有公告。
Trigger Scenarios
Install
npx skills add larlarua/AutoCVE --skill cve-report-writer -g -y
SKILL.md
Frontmatter
{
"name": "cve-report-writer",
"description": "Use when drafting or rewriting vulnerability reports into aligned English, Chinese, and CVE Markdown deliverables from verified findings, code references, repro steps, or rough disclosure drafts."
}
Cve Report Writer
Overview
Generate two aligned narrative vulnerability reports, one English and one Chinese, plus one CVE submission helper Markdown file from the same source material. Preserve the same facts, structure, and severity across all outputs, and change only the language where applicable.
Use this skill when the user already has findings, repro steps, code references, logs, screenshots, or rough drafts and needs them converted into disclosure-ready Markdown reports and a structured CVE intake helper.
Workflow
Follow this sequence:
- Read the source materials.
- Extract only verified facts from the provided drafts, notes, screenshots, logs, code references, or reproduction evidence.
- Trace the confirmed vulnerable code path and collect the core source-to-sink code snippets that explain the risk.
- Write the narrative reports in the exact section order defined in
references/report-rules.md. - Generate
xxx_en.md,xxx_zh.md, andxxx_cve.md. - Keep the English and Chinese files structurally identical.
- Keep the CVE helper aligned with the same verified facts.
- Include the core vulnerable code path and a complete reproducible PoC in every output file.
Required Output Rules
Read these files before drafting:
references/report-rules.mdreferences/report-template-en.mdreferences/report-template-zh.mdreferences/cve-submission-template.md
Apply these rules strictly:
- Produce exactly three files for each finding:
xxx_en.md,xxx_zh.md, andxxx_cve.md. - Keep the English and Chinese versions semantically identical.
- Keep the CVE helper factually aligned with the two narrative reports.
- Use only the allowed sections for each template.
- Do not add banned sections even if they are common in other templates.
- Keep the tone suitable for public GitHub issues, private advisories, or CVE-style submissions.
- Prefer precise, evidence-based language over exaggerated claims.
- If the affected version range is uncertain, keep a clearly marked placeholder instead of inventing one.
- Every output file must include the core vulnerable code path or code snippets that materially explain the risk.
- Every output file must include a complete reproducible PoC flow that matches the verified route, parameters, and behavior.
- Do not leave screenshot placeholders or screenshot instructions unless the user explicitly asks for them.
xxx_en.mdandxxx_zh.mdmust end with a supplemental metadata section that captures affected product details, severity metadata, and weaknesses metadata.
Required Section Order
Use this section order only for xxx_en.md and xxx_zh.md:
# <Title>## Summary## Details## POC## Impact## Remediation## Disclosure Notes## Supplemental Informationfor English and## 补充信息for Chinese
Use these templates:
Banned Sections
Never include these sections unless the user explicitly overrides this skill:
Example RequestObserved ResultVerificationWhy This MattersSuggested Fix Direction
If the source draft contains useful text under those headings, fold the useful facts into the allowed sections instead of preserving the headings.
Title Rules
Write titles in a public issue or CVE style format:
- English:
SSRF in /path via root-cause (product <= version) - Chinese: mirror the same meaning, severity, endpoint, and version scope
If the version range is not confirmed, use a cautious placeholder such as:
- English:
(affected versions to be confirmed) - Chinese:
(受影响版本待确认)
Do not fabricate an affected range.
Core Code Rules
Every output file must contain the core vulnerable code path.
The code content must:
- cover the confirmed risk chain from entry point to enforcement failure or dangerous sink
- use concise snippets only, not full files
- keep line references or file references when available
- explain why each snippet matters
- avoid speculative code that has not been tied to the verified exploit path
POC Rules
POC must contain the practical reproduction flow and a complete PoC that can be followed without screenshots.
The PoC must:
- use the verified route, parameters, headers, and payload format
- match the actual request method and endpoint naming used by the product
- state the relevant runtime prerequisites when they affect exploitability
- describe the expected response or outcome based on verified evidence
- stay reproducible and copyable
Do not leave screenshot placeholders or screenshot guidance in any output unless the user explicitly asks for them.
Content Rules
Summary
- State the vulnerability type, affected feature or endpoint, attacker prerequisites, and core impact in 1 to 3 short paragraphs.
Details
- Explain the root cause.
- Reference the relevant endpoint, permission model, trust boundary, or data flow.
- Include the core vulnerable code path or concise code snippets that materially strengthen the report.
- Remove noisy implementation detail that does not help the reader understand exploitability.
POC
- Describe the exploitation path in a practical order.
- Reuse the user's verified repro flow when available.
- Keep the steps reproducible.
- Include a complete PoC and expected outcome instead of screenshot placeholders.
Impact
- State concrete security consequences.
- Do not repeat the full repro flow.
- Prefer direct outcomes such as unauthorized access, credential leakage, internal network reachability, task tampering, code execution, or cross-tenant data exposure.
Remediation
- Give high-level, technically correct fix guidance.
- Do not prescribe overly specific code patches unless the user explicitly asks for them.
- Prefer durable fixes such as consistent server-side authorization checks, trusted-source resolution, strict validation, identity binding, or removal of insecure defaults.
Disclosure Notes
- Keep this section short.
- Use it for caveats such as unconfirmed affected version range, issue-style formatting, or disclosure status.
Supplemental Information / 补充信息
- Append this section at the very end of
xxx_en.mdandxxx_zh.md. - Use it for form-style metadata that should remain easy to copy into advisory portals or disclosure forms.
- Include these fields:
Affected productsEcosystemPackage nameAffected versionsPatched versions
SeverityScoring methodScoreVector string
WeaknessesCWE
Severitymust provide CVSS scoring details: method, numeric score from 0.0 to 10.0, and vector string.- If any value is unknown, keep a clearly marked placeholder instead of inventing one.
CVE Template Rules
The xxx_cve.md file is a structured submission helper for CVE or CNA intake forms.
Populate these fields:
Vulnerability typeCWEVendor of the product(s)Affected product(s)/code baseProductVersion
Attack typeImpact- if
Otheris selected, explain it
- if
Affected component(s)Core vulnerable code pathAttack vector(s)Suggested description of the vulnerability for use in the CVEDiscoverer(s)/CreditsReference(s)Additional information
Apply these constraints:
Vulnerability typemust be chosen from the fixed enumerated options documented in the template.Attack typemust be chosen from the fixed enumerated options documented in the template.Impactmust use only the documented checkbox options, andOther impactmust explain any checkedOther.CWEmay use a precise CWE identifier with a short title, or a clearly marked placeholder if not yet confirmed.Core vulnerable code pathmust contain concise, relevant snippets or a structured source-to-sink summary.- Default
Discoverer(s)/Creditsto[Your Name]unless the user explicitly overrides it. - Default
Reference(s)to blank placeholders for the user to fill later. - Default
Additional informationto blank unless useful supporting context is clearly available. - Do not invent fixed versions or references.
- If multiple impacts apply, list all supported ones in the template output.
Style Rules
- Use Markdown only.
- Prefer short paragraphs and flat bullets.
- Keep each section focused.
- Avoid hype, emotional wording, and unsupported severity claims.
- Preserve the user's evidence and findings; improve clarity, not meaning.
- Do not downgrade or upgrade impact without evidence from the source materials.
Handling Source Drafts
When the user provides rough drafts:
- keep all verified facts
- normalize terminology
- fill missing
Impact,Remediation,Disclosure Notes,CWE, or huntr field content when needed - remove duplicate statements across sections
- merge redundant request or verification details into
POC - convert screenshots into supporting evidence only when the user explicitly wants them referenced
When the user provides only one language:
- draft the missing language version to match it exactly in meaning
When the user provides both languages:
- align them so the content is equivalent section by section
Resources
Use these files as the canonical reference for output shape:
Version History
- 97ce141 Current 2026-07-05 09:22


