Ark Vulnerability Fixer
Provides CVE-specific research tools and security patch workflows for fixing vulnerabilities in Ark.
When to use this skill
Use this skill when:
-
User mentions a specific CVE number (e.g., "Fix CVE-2025-55183 in Ark")
-
User reports a security vulnerability that needs patching
-
You need CVE database information
-
You need security-focused PR templates
Note: This skill is typically used by the ark-security-patcher agent as part of a complete workflow:
-
CVE research (this skill + research skill)
-
Codebase analysis (this skill + analysis skill)
-
Mitigation planning (this skill)
-
Repository cloning and fix implementation
-
Testing (optionally with setup skill)
-
PR creation (this skill)
This skill complements the research, analysis, and setup skills for a complete end-to-end vulnerability fixing workflow.
CVE Research
CVE API Integration
Fetch official CVE data from the CIRCL CVE database:
Fetch CVE details
curl -s "https://cve.circl.lu/api/cve/CVE-2025-55183" | python3 -m json.tool
The API provides:
-
Official CVE description
-
CVSS scores and severity ratings
-
References to security advisories
-
Affected products and version ranges
-
CWE categorization
-
Available patches and fixes
CVE Research Checklist
For each CVE, gather:
-
Official CVE description and CVSS score
-
Vendor security advisory
-
GitHub security advisory (if applicable)
-
Patch or fix documentation
-
Affected version range
-
Recommended version or workaround
Tip: Use the research skill for web searches to find vendor advisories and GitHub security alerts.
Dependency Analysis
Identifying Vulnerable Dependencies
Once you have CVE details, search Ark's dependencies:
cd /tmp/ark-analysis # Use analysis skill to clone first
Go dependencies
grep "package-name" go.mod go.sum go list -m all | grep "package-name"
Node.js dependencies
find . -name "package.json" -exec grep -l "package-name" {} ; npm list package-name # If in a node project
Python dependencies
find . -name "requirements.txt" -o -name "pyproject.toml" | xargs grep "package-name"
Docker base images
find . -name "Dockerfile" | xargs grep "FROM"
Assessing Impact
Consider Ark's specific context:
-
Deployment model: Kubernetes operator in cluster
-
Network exposure: Services typically internal to cluster
-
Trust boundary: Often in trusted environments
-
Attack vectors: What's realistic given Ark's architecture?
Tip: Use the analysis skill to understand Ark's architecture and service boundaries.
Mitigation Strategy
Presenting Options to User
CRITICAL: Always present mitigation options and wait for user approval before making changes.
Use this template to present findings:
Security Vulnerability Analysis
Vulnerability Details
- CVE: CVE-YYYY-NNNNN (or "Generic: [description]")
- Severity: [Critical/High/Medium/Low] (CVSS: [score])
- Component: [Library/package/framework]
- Description: [Clear explanation]
Impact on Ark
- Affected Services: [List services/components]
- Current Version: [Version in use]
- Vulnerable Versions: [Range]
- Attack Vector: [How exploitable]
- Risk Assessment: [Realistic risk for Ark deployments]
Mitigation Options
Option 1: [Recommended approach] (RECOMMENDED)
- Action: Update [component] from v[X] to v[Y]
- Changes Required: [Files to modify]
- Testing Strategy: [How to verify]
- Impact: [Breaking changes, if any]
- Pros: [Benefits]
- Cons: [Downsides]
Option 2: [Alternative approach]
- Action: [Alternative fix]
- Changes Required: [What changes]
- Testing Strategy: [How to verify]
- Impact: [Breaking changes, if any]
- Pros: [Benefits]
- Cons: [Downsides]
Recommendation
Based on [evidence sources], I recommend Option 1 because:
- [Primary reason]
- [Secondary reason]
Next Steps
Would you like to proceed with this mitigation?
Sources
STOP AND WAIT for user approval before implementing.
Repository Setup for Fixes
Cloning for Development
After user approves the mitigation, clone Ark for making changes:
Clone the repository
git clone git@github.com:mckinsey/agents-at-scale-ark.git cd agents-at-scale-ark
Create a security fix branch
git checkout -b security/fix-cve-YYYY-NNNNN
Verify branch
git branch --show-current
For forks:
git clone git@github.com:<username>/agents-at-scale-ark.git cd agents-at-scale-ark git remote add upstream git@github.com:mckinsey/agents-at-scale-ark.git git fetch upstream git checkout -b security/fix-cve-YYYY-NNNNN upstream/main
Implementation
Applying the Fix
Once user approves and repository is cloned, apply changes:
cd agents-at-scale-ark
For Go dependencies
go get package@v1.2.3 go mod tidy
For Node.js dependencies
npm install package@1.2.3 npm audit fix
For Python dependencies
Edit requirements.txt or pyproject.toml
pip install -r requirements.txt
For Docker base images
Edit Dockerfile FROM statements
Verification
Basic Testing
cd agents-at-scale-ark
Run tests
make test
Build to check for breaking changes
make build
Search for remaining vulnerable patterns
grep -r "vulnerable-pattern" .
Integration Testing with Setup Skill (Optional)
For changes that affect Ark runtime behavior, use the setup skill to test in a live cluster:
When to use setup skill for testing:
-
Go operator changes (controllers, webhooks, CRDs)
-
Service updates (ark-api, executor services)
-
Changes that affect Kubernetes interactions
-
Breaking changes that need verification
Setup skill workflow:
-
Creates a Kind cluster
-
Builds ark-cli from your security fix branch
-
Installs Ark with your changes
-
Verifies all pods are running
-
Allows you to test the fix in action
Skip integration testing if:
-
Only updating documentation or CLI
-
Changes are in isolated utility functions
-
Dependencies don't affect runtime behavior
Security-Focused PR Templates
Commit Message Template
Ensure you're in the cloned repository:
cd agents-at-scale-ark git add .
git commit -m "$(cat <<'EOF' fix: CVE-YYYY-NNNNN in [component]
Vulnerability Details
- CVE: CVE-YYYY-NNNNN
- Severity: [Critical/High/Medium/Low]
- CVSS Score: [X.X]
- Component: [package/library]
Impact on Ark
[How this affects Ark services and realistic risk level]
Changes
- Updated [component] from v[X] to v[Y]
- [Any code changes]
Testing
- [Tests run and results]
References
- CVE: https://cve.circl.lu/cve/CVE-YYYY-NNNNN
- Advisory: [URL]
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> EOF )"
Push to Remote
Push the security fix branch
git push origin security/fix-cve-YYYY-NNNNN
Pull Request Template
Create the PR with detailed security information:
gh pr create --title "fix: CVE-YYYY-NNNNN in [component]" --body "$(cat <<'EOF'
Summary
Addresses security vulnerability CVE-YYYY-NNNNN in [component].
Vulnerability Details
| Field | Value |
|---|---|
| CVE | CVE-YYYY-NNNNN |
| Severity | [Critical/High/Medium/Low] |
| CVSS Score | [X.X] |
| Component | [package] |
| Current Version | [old] |
| Patched Version | [new] |
Description
[What the vulnerability is and how it could be exploited]
Impact on Ark
Affected Components
Risk Assessment
Risk Level: [Level]
[Realistic assessment of actual risk to Ark deployments]
Changes Made
- Updated
[component]fromv[X]tov[Y] - [Other changes]
Testing
- ✅ Unit tests pass
- ✅ Integration tests pass
- ✅ Manual verification completed
References
- CVE: https://cve.circl.lu/cve/CVE-YYYY-NNNNN
- Advisory: [URL]
- Patch Notes: [URL]
🤖 Generated with Claude Code EOF )"
Important Notes
CVE API Usage
The CIRCL CVE API:
-
Endpoint: https://cve.circl.lu/api/cve/{CVE-ID}
-
Returns JSON with CVSS scores, references, affected versions
-
No authentication required
-
Fallback: Use web search if API is unreachable
Ark Security Context
When assessing risk:
-
Architecture: Kubernetes operator managing AI workloads
-
Components: Go operator, Python services, Node.js CLI
-
Deployment: Typically cluster-internal, trusted environments
-
Focus areas: CRD controllers, API services, executor services
Skill Composition
This skill provides CVE-specific tools. It works best when combined with:
-
research skill - For web searches, vendor advisories, evidence gathering
-
analysis skill - For cloning Ark repo (read-only) and examining codebase structure
-
setup skill - For integration testing in a live Ark cluster
-
architecture skill - For understanding service boundaries and impact
Complete workflow example:
-
Research CVE (this skill + research skill)
-
Analyze impact (this skill + analysis skill)
-
Clone for development (this skill)
-
Implement fix (this skill)
-
Test integration (this skill + setup skill, if needed)
-
Create PR (this skill)
User Approval is Mandatory
Never implement changes without explicit user approval. This ensures:
-
User understands security implications
-
Approach aligns with security policies
-
Testing strategy is appropriate
-
Breaking changes are acknowledged
Common Vulnerability Types
Go Dependencies
-
Check: go.mod , go.sum
-
Update: go get package@version && go mod tidy
-
Scan: go list -m all
Node.js Dependencies
-
Check: package.json , package-lock.json
-
Update: npm install package@version
-
Scan: npm audit
Python Dependencies
-
Check: requirements.txt , pyproject.toml
-
Update: Edit requirements files
-
Scan: pip-audit (if available)
Docker Base Images
-
Check: Dockerfile FROM statements
-
Update: Change base image version
-
Scan: docker scan or vulnerability databases