Ark Vulnerability Fixer
Provides CVE-specific research tools and security patch workflows for fixing vulnerabilities in Ark.
When to use this skill
Use this skill when:
- •User mentions a specific CVE number (e.g., "Fix CVE-2025-55183 in Ark")
- •User reports a security vulnerability that needs patching
- •You need CVE database information
- •You need security-focused PR templates
Note: This skill is typically used by the ark-security-patcher agent as part of a complete workflow:
- •CVE research (this skill + research skill)
- •Codebase analysis (this skill + analysis skill)
- •Mitigation planning (this skill)
- •Repository cloning and fix implementation
- •Testing (optionally with setup skill)
- •PR creation (this skill)
This skill complements the research, analysis, and setup skills for a complete end-to-end vulnerability fixing workflow.
CVE Research
CVE API Integration
Fetch official CVE data from the CIRCL CVE database:
# Fetch CVE details curl -s "https://cve.circl.lu/api/cve/CVE-2025-55183" | python3 -m json.tool
The API provides:
- •Official CVE description
- •CVSS scores and severity ratings
- •References to security advisories
- •Affected products and version ranges
- •CWE categorization
- •Available patches and fixes
CVE Research Checklist
For each CVE, gather:
- • Official CVE description and CVSS score
- • Vendor security advisory
- • GitHub security advisory (if applicable)
- • Patch or fix documentation
- • Affected version range
- • Recommended version or workaround
Tip: Use the research skill for web searches to find vendor advisories and GitHub security alerts.
Dependency Analysis
Identifying Vulnerable Dependencies
Once you have CVE details, search Ark's dependencies:
cd /tmp/ark-analysis # Use analysis skill to clone first
# Go dependencies
grep "package-name" go.mod go.sum
go list -m all | grep "package-name"
# Node.js dependencies
find . -name "package.json" -exec grep -l "package-name" {} \;
npm list package-name # If in a node project
# Python dependencies
find . -name "requirements.txt" -o -name "pyproject.toml" | xargs grep "package-name"
# Docker base images
find . -name "Dockerfile" | xargs grep "FROM"
Assessing Impact
Consider Ark's specific context:
- •Deployment model: Kubernetes operator in cluster
- •Network exposure: Services typically internal to cluster
- •Trust boundary: Often in trusted environments
- •Attack vectors: What's realistic given Ark's architecture?
Tip: Use the analysis skill to understand Ark's architecture and service boundaries.
Mitigation Strategy
Presenting Options to User
CRITICAL: Always present mitigation options and wait for user approval before making changes.
Use this template to present findings:
## Security Vulnerability Analysis ### Vulnerability Details - **CVE**: CVE-YYYY-NNNNN (or "Generic: [description]") - **Severity**: [Critical/High/Medium/Low] (CVSS: [score]) - **Component**: [Library/package/framework] - **Description**: [Clear explanation] ### Impact on Ark - **Affected Services**: [List services/components] - **Current Version**: [Version in use] - **Vulnerable Versions**: [Range] - **Attack Vector**: [How exploitable] - **Risk Assessment**: [Realistic risk for Ark deployments] ### Mitigation Options #### Option 1: [Recommended approach] (RECOMMENDED) - **Action**: Update [component] from v[X] to v[Y] - **Changes Required**: [Files to modify] - **Testing Strategy**: [How to verify] - **Impact**: [Breaking changes, if any] - **Pros**: [Benefits] - **Cons**: [Downsides] #### Option 2: [Alternative approach] - **Action**: [Alternative fix] - **Changes Required**: [What changes] - **Testing Strategy**: [How to verify] - **Impact**: [Breaking changes, if any] - **Pros**: [Benefits] - **Cons**: [Downsides] ### Recommendation Based on [evidence sources], I recommend **Option 1** because: 1. [Primary reason] 2. [Secondary reason] ### Next Steps Would you like to proceed with this mitigation? ### Sources - [CVE Database](https://cve.circl.lu/cve/CVE-YYYY-NNNNN) - [Vendor Advisory](URL)
STOP AND WAIT for user approval before implementing.
Repository Setup for Fixes
Cloning for Development
After user approves the mitigation, clone Ark for making changes:
# Clone the repository git clone git@github.com:mckinsey/agents-at-scale-ark.git cd agents-at-scale-ark # Create a security fix branch git checkout -b security/fix-cve-YYYY-NNNNN # Verify branch git branch --show-current
For forks:
git clone git@github.com:<username>/agents-at-scale-ark.git cd agents-at-scale-ark git remote add upstream git@github.com:mckinsey/agents-at-scale-ark.git git fetch upstream git checkout -b security/fix-cve-YYYY-NNNNN upstream/main
Implementation
Applying the Fix
Once user approves and repository is cloned, apply changes:
cd agents-at-scale-ark # For Go dependencies go get package@v1.2.3 go mod tidy # For Node.js dependencies npm install package@1.2.3 npm audit fix # For Python dependencies # Edit requirements.txt or pyproject.toml pip install -r requirements.txt # For Docker base images # Edit Dockerfile FROM statements
Verification
Basic Testing
cd agents-at-scale-ark # Run tests make test # Build to check for breaking changes make build # Search for remaining vulnerable patterns grep -r "vulnerable-pattern" .
Integration Testing with Setup Skill (Optional)
For changes that affect Ark runtime behavior, use the setup skill to test in a live cluster:
When to use setup skill for testing:
- •Go operator changes (controllers, webhooks, CRDs)
- •Service updates (ark-api, executor services)
- •Changes that affect Kubernetes interactions
- •Breaking changes that need verification
Setup skill workflow:
- •Creates a Kind cluster
- •Builds ark-cli from your security fix branch
- •Installs Ark with your changes
- •Verifies all pods are running
- •Allows you to test the fix in action
Skip integration testing if:
- •Only updating documentation or CLI
- •Changes are in isolated utility functions
- •Dependencies don't affect runtime behavior
Security-Focused PR Templates
Commit Message Template
Ensure you're in the cloned repository:
cd agents-at-scale-ark git add . git commit -m "$(cat <<'EOF' fix: CVE-YYYY-NNNNN in [component] ## Vulnerability Details - CVE: CVE-YYYY-NNNNN - Severity: [Critical/High/Medium/Low] - CVSS Score: [X.X] - Component: [package/library] ## Impact on Ark [How this affects Ark services and realistic risk level] ## Changes - Updated [component] from v[X] to v[Y] - [Any code changes] ## Testing - [Tests run and results] ## References - CVE: https://cve.circl.lu/cve/CVE-YYYY-NNNNN - Advisory: [URL] 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> EOF )"
Push to Remote
# Push the security fix branch git push origin security/fix-cve-YYYY-NNNNN
Pull Request Template
Create the PR with detailed security information:
gh pr create --title "fix: CVE-YYYY-NNNNN in [component]" --body "$(cat <<'EOF' ## Summary Addresses security vulnerability CVE-YYYY-NNNNN in [component]. ## Vulnerability Details | Field | Value | |-------|-------| | **CVE** | CVE-YYYY-NNNNN | | **Severity** | [Critical/High/Medium/Low] | | **CVSS Score** | [X.X] | | **Component** | [package] | | **Current Version** | [old] | | **Patched Version** | [new] | ### Description [What the vulnerability is and how it could be exploited] ## Impact on Ark ### Affected Components - [Service 1]: [Impact] - [Service 2]: [Impact] ### Risk Assessment **Risk Level**: [Level] [Realistic assessment of actual risk to Ark deployments] ## Changes Made - Updated `[component]` from `v[X]` to `v[Y]` - [Other changes] ## Testing - ✅ Unit tests pass - ✅ Integration tests pass - ✅ Manual verification completed ## References - **CVE**: https://cve.circl.lu/cve/CVE-YYYY-NNNNN - **Advisory**: [URL] - **Patch Notes**: [URL] 🤖 Generated with [Claude Code](https://claude.com/claude-code) EOF )"
Important Notes
CVE API Usage
The CIRCL CVE API:
- •Endpoint:
https://cve.circl.lu/api/cve/{CVE-ID} - •Returns JSON with CVSS scores, references, affected versions
- •No authentication required
- •Fallback: Use web search if API is unreachable
Ark Security Context
When assessing risk:
- •Architecture: Kubernetes operator managing AI workloads
- •Components: Go operator, Python services, Node.js CLI
- •Deployment: Typically cluster-internal, trusted environments
- •Focus areas: CRD controllers, API services, executor services
Skill Composition
This skill provides CVE-specific tools. It works best when combined with:
- •research skill - For web searches, vendor advisories, evidence gathering
- •analysis skill - For cloning Ark repo (read-only) and examining codebase structure
- •setup skill - For integration testing in a live Ark cluster
- •architecture skill - For understanding service boundaries and impact
Complete workflow example:
- •Research CVE (this skill + research skill)
- •Analyze impact (this skill + analysis skill)
- •Clone for development (this skill)
- •Implement fix (this skill)
- •Test integration (this skill + setup skill, if needed)
- •Create PR (this skill)
User Approval is Mandatory
Never implement changes without explicit user approval. This ensures:
- •User understands security implications
- •Approach aligns with security policies
- •Testing strategy is appropriate
- •Breaking changes are acknowledged
Common Vulnerability Types
Go Dependencies
- •Check:
go.mod,go.sum - •Update:
go get package@version && go mod tidy - •Scan:
go list -m all
Node.js Dependencies
- •Check:
package.json,package-lock.json - •Update:
npm install package@version - •Scan:
npm audit
Python Dependencies
- •Check:
requirements.txt,pyproject.toml - •Update: Edit requirements files
- •Scan:
pip-audit(if available)
Docker Base Images
- •Check:
DockerfileFROM statements - •Update: Change base image version
- •Scan:
docker scanor vulnerability databases