ark-vulnerability-fixer by mckinsey
CVE research and security patch workflow for Ark. Provides CVE API integration, mitigation strategies, and security-focused PR templates. Works with research, analysis, and setup skills for comprehensive vulnerability fixing.
Content & Writing
301 Stars
68 Forks
Updated Jan 17, 2026, 08:37 PM
Why Use This
This skill provides specialized capabilities for mckinsey's codebase.
Use Cases
- Developing new features in the mckinsey repository
- Refactoring existing code to follow mckinsey standards
- Understanding and working with mckinsey's codebase structure
Install Guide
2 steps- 1
Skip this step if Ananke is already installed.
- 2
Skill Snapshot
Auto scan of skill assets. Informational only.
Valid SKILL.md
Checks against SKILL.md specification
Source & Community
Repository agents-at-scale-ark
Skill Version
main
Community
301 68
Updated At Jan 17, 2026, 08:37 PM
Skill Stats
SKILL.md 404 Lines
Total Files 1
Total Size 0 B
License NOASSERTION
---
name: ark-vulnerability-fixer
description: CVE research and security patch workflow for Ark. Provides CVE API integration, mitigation strategies, and security-focused PR templates. Works with research, analysis, and setup skills for comprehensive vulnerability fixing.
---
# Ark Vulnerability Fixer
Provides CVE-specific research tools and security patch workflows for fixing vulnerabilities in Ark.
## When to use this skill
Use this skill when:
- User mentions a specific CVE number (e.g., "Fix CVE-2025-55183 in Ark")
- User reports a security vulnerability that needs patching
- You need CVE database information
- You need security-focused PR templates
**Note**: This skill is typically used by the **ark-security-patcher** agent as part of a complete workflow:
1. CVE research (this skill + **research** skill)
2. Codebase analysis (this skill + **analysis** skill)
3. Mitigation planning (this skill)
4. Repository cloning and fix implementation
5. Testing (optionally with **setup** skill)
6. PR creation (this skill)
This skill complements the **research**, **analysis**, and **setup** skills for a complete end-to-end vulnerability fixing workflow.
## CVE Research
### CVE API Integration
Fetch official CVE data from the CIRCL CVE database:
```bash
# Fetch CVE details
curl -s "https://cve.circl.lu/api/cve/CVE-2025-55183" | python3 -m json.tool
```
The API provides:
- Official CVE description
- CVSS scores and severity ratings
- References to security advisories
- Affected products and version ranges
- CWE categorization
- Available patches and fixes
### CVE Research Checklist
For each CVE, gather:
- [ ] Official CVE description and CVSS score
- [ ] Vendor security advisory
- [ ] GitHub security advisory (if applicable)
- [ ] Patch or fix documentation
- [ ] Affected version range
- [ ] Recommended version or workaround
**Tip**: Use the **research** skill for web searches to find vendor advisories and GitHub security alerts.
## Dependency Analysis
### Identifying Vulnerable Dependencies
Once you have CVE details, search Ark's dependencies:
```bash
cd /tmp/ark-analysis # Use analysis skill to clone first
# Go dependencies
grep "package-name" go.mod go.sum
go list -m all | grep "package-name"
# Node.js dependencies
find . -name "package.json" -exec grep -l "package-name" {} \;
npm list package-name # If in a node project
# Python dependencies
find . -name "requirements.txt" -o -name "pyproject.toml" | xargs grep "package-name"
# Docker base images
find . -name "Dockerfile" | xargs grep "FROM"
```
### Assessing Impact
Consider Ark's specific context:
- **Deployment model**: Kubernetes operator in cluster
- **Network exposure**: Services typically internal to cluster
- **Trust boundary**: Often in trusted environments
- **Attack vectors**: What's realistic given Ark's architecture?
**Tip**: Use the **analysis** skill to understand Ark's architecture and service boundaries.
## Mitigation Strategy
### Presenting Options to User
**CRITICAL**: Always present mitigation options and wait for user approval before making changes.
Use this template to present findings:
```markdown
## Security Vulnerability Analysis
### Vulnerability Details
- **CVE**: CVE-YYYY-NNNNN (or "Generic: [description]")
- **Severity**: [Critical/High/Medium/Low] (CVSS: [score])
- **Component**: [Library/package/framework]
- **Description**: [Clear explanation]
### Impact on Ark
- **Affected Services**: [List services/components]
- **Current Version**: [Version in use]
- **Vulnerable Versions**: [Range]
- **Attack Vector**: [How exploitable]
- **Risk Assessment**: [Realistic risk for Ark deployments]
### Mitigation Options
#### Option 1: [Recommended approach] (RECOMMENDED)
- **Action**: Update [component] from v[X] to v[Y]
- **Changes Required**: [Files to modify]
- **Testing Strategy**: [How to verify]
- **Impact**: [Breaking changes, if any]
- **Pros**: [Benefits]
- **Cons**: [Downsides]
#### Option 2: [Alternative approach]
- **Action**: [Alternative fix]
- **Changes Required**: [What changes]
- **Testing Strategy**: [How to verify]
- **Impact**: [Breaking changes, if any]
- **Pros**: [Benefits]
- **Cons**: [Downsides]
### Recommendation
Based on [evidence sources], I recommend **Option 1** because:
1. [Primary reason]
2. [Secondary reason]
### Next Steps
Would you like to proceed with this mitigation?
### Sources
- [CVE Database](https://cve.circl.lu/cve/CVE-YYYY-NNNNN)
- [Vendor Advisory](URL)
```
**STOP AND WAIT** for user approval before implementing.
## Repository Setup for Fixes
### Cloning for Development
After user approves the mitigation, clone Ark for making changes:
```bash
# Clone the repository
git clone [email protected]:mckinsey/agents-at-scale-ark.git
cd agents-at-scale-ark
# Create a security fix branch
git checkout -b security/fix-cve-YYYY-NNNNN
# Verify branch
git branch --show-current
```
**For forks:**
```bash
git clone [email protected]:<username>/agents-at-scale-ark.git
cd agents-at-scale-ark
git remote add upstream [email protected]:mckinsey/agents-at-scale-ark.git
git fetch upstream
git checkout -b security/fix-cve-YYYY-NNNNN upstream/main
```
## Implementation
### Applying the Fix
Once user approves and repository is cloned, apply changes:
```bash
cd agents-at-scale-ark
# For Go dependencies
go get [email protected]
go mod tidy
# For Node.js dependencies
npm install [email protected]
npm audit fix
# For Python dependencies
# Edit requirements.txt or pyproject.toml
pip install -r requirements.txt
# For Docker base images
# Edit Dockerfile FROM statements
```
### Verification
#### Basic Testing
```bash
cd agents-at-scale-ark
# Run tests
make test
# Build to check for breaking changes
make build
# Search for remaining vulnerable patterns
grep -r "vulnerable-pattern" .
```
#### Integration Testing with Setup Skill (Optional)
For changes that affect Ark runtime behavior, use the **setup** skill to test in a live cluster:
**When to use setup skill for testing:**
- Go operator changes (controllers, webhooks, CRDs)
- Service updates (ark-api, executor services)
- Changes that affect Kubernetes interactions
- Breaking changes that need verification
**Setup skill workflow:**
1. Creates a Kind cluster
2. Builds ark-cli from your security fix branch
3. Installs Ark with your changes
4. Verifies all pods are running
5. Allows you to test the fix in action
**Skip integration testing if:**
- Only updating documentation or CLI
- Changes are in isolated utility functions
- Dependencies don't affect runtime behavior
## Security-Focused PR Templates
### Commit Message Template
Ensure you're in the cloned repository:
```bash
cd agents-at-scale-ark
git add .
git commit -m "$(cat <<'EOF'
fix: CVE-YYYY-NNNNN in [component]
## Vulnerability Details
- CVE: CVE-YYYY-NNNNN
- Severity: [Critical/High/Medium/Low]
- CVSS Score: [X.X]
- Component: [package/library]
## Impact on Ark
[How this affects Ark services and realistic risk level]
## Changes
- Updated [component] from v[X] to v[Y]
- [Any code changes]
## Testing
- [Tests run and results]
## References
- CVE: https://cve.circl.lu/cve/CVE-YYYY-NNNNN
- Advisory: [URL]
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
EOF
)"
```
### Push to Remote
```bash
# Push the security fix branch
git push origin security/fix-cve-YYYY-NNNNN
```
### Pull Request Template
Create the PR with detailed security information:
```bash
gh pr create --title "fix: CVE-YYYY-NNNNN in [component]" --body "$(cat <<'EOF'
## Summary
Addresses security vulnerability CVE-YYYY-NNNNN in [component].
## Vulnerability Details
| Field | Value |
|-------|-------|
| **CVE** | CVE-YYYY-NNNNN |
| **Severity** | [Critical/High/Medium/Low] |
| **CVSS Score** | [X.X] |
| **Component** | [package] |
| **Current Version** | [old] |
| **Patched Version** | [new] |
### Description
[What the vulnerability is and how it could be exploited]
## Impact on Ark
### Affected Components
- [Service 1]: [Impact]
- [Service 2]: [Impact]
### Risk Assessment
**Risk Level**: [Level]
[Realistic assessment of actual risk to Ark deployments]
## Changes Made
- Updated `[component]` from `v[X]` to `v[Y]`
- [Other changes]
## Testing
- ✅ Unit tests pass
- ✅ Integration tests pass
- ✅ Manual verification completed
## References
- **CVE**: https://cve.circl.lu/cve/CVE-YYYY-NNNNN
- **Advisory**: [URL]
- **Patch Notes**: [URL]
🤖 Generated with [Claude Code](https://claude.com/claude-code)
EOF
)"
```
## Important Notes
### CVE API Usage
The CIRCL CVE API:
- Endpoint: `https://cve.circl.lu/api/cve/{CVE-ID}`
- Returns JSON with CVSS scores, references, affected versions
- No authentication required
- Fallback: Use web search if API is unreachable
### Ark Security Context
When assessing risk:
- **Architecture**: Kubernetes operator managing AI workloads
- **Components**: Go operator, Python services, Node.js CLI
- **Deployment**: Typically cluster-internal, trusted environments
- **Focus areas**: CRD controllers, API services, executor services
### Skill Composition
This skill provides CVE-specific tools. It works best when combined with:
- **research** skill - For web searches, vendor advisories, evidence gathering
- **analysis** skill - For cloning Ark repo (read-only) and examining codebase structure
- **setup** skill - For integration testing in a live Ark cluster
- **architecture** skill - For understanding service boundaries and impact
**Complete workflow example:**
1. Research CVE (this skill + research skill)
2. Analyze impact (this skill + analysis skill)
3. Clone for development (this skill)
4. Implement fix (this skill)
5. Test integration (this skill + setup skill, if needed)
6. Create PR (this skill)
### User Approval is Mandatory
**Never implement changes without explicit user approval.** This ensures:
- User understands security implications
- Approach aligns with security policies
- Testing strategy is appropriate
- Breaking changes are acknowledged
## Common Vulnerability Types
### Go Dependencies
- Check: `go.mod`, `go.sum`
- Update: `go get package@version && go mod tidy`
- Scan: `go list -m all`
### Node.js Dependencies
- Check: `package.json`, `package-lock.json`
- Update: `npm install package@version`
- Scan: `npm audit`
### Python Dependencies
- Check: `requirements.txt`, `pyproject.toml`
- Update: Edit requirements files
- Scan: `pip-audit` (if available)
### Docker Base Images
- Check: `Dockerfile` FROM statements
- Update: Change base image version
- Scan: `docker scan` or vulnerability databases
Name Size