Extract vuln-assessment-methodology into standalone capability#40
Merged
Conversation
Generic vulnerability assessment guidance (source-to-sink tracing, disprove-first analysis, severity matrix, quality checklist, anti-patterns) was embedded in the dotnet-reversing skill. Extract it into a new vuln-assessment-methodology capability so any security capability can load it. dotnet-reversing and mcr-analysis now reference it while retaining .NET-specific patterns and a compact inline severity table for standalone viability. Co-Authored-By: Claude <noreply@anthropic.com>
…severity example - vuln-assessment-methodology: consolidate severity guidance (drop redundant prose lists, merge severity guide into rule 3, remove quality checklist that restated the rules, trim reporting standards) - dotnet-reversing: fix report_finding example to use criticality "critical" for hardcoded credential, remove low-signal weak crypto pattern, fix stale "quality checklist" reference - mcr-analysis: fix stale "quality checklist" reference, deduplicate dll_only fallback between sections Co-Authored-By: Claude <noreply@anthropic.com>
…d vuln-critic Add methodology skill reference to the web-security agent's Evidence Standards section and to vuln-critic's opening paragraph. Gives the pentesting pipeline access to the severity matrix, disprove-first discipline, and anti-patterns table. Co-Authored-By: Claude <noreply@anthropic.com>
…sis, and reporting rigor Add hard rule 9 (attack chain analysis), three-tier confidence levels (Confirmed/Probable/Suspected), opt-in PoC validation, and expand reporting standards with CWE classification, actionable remediation, root-cause deduplication, and scope documentation requirements. Co-Authored-By: Claude <noreply@anthropic.com>
…n reporting Rule 7: generalize to "security-sensitive sink" with examples instead of exhaustive list. Rule 9: clarify chain is reported alongside individual findings. Anti-pattern: align terminology with rule 9. Co-Authored-By: Claude <noreply@anthropic.com>
…all finding agents All 7 agents that report findings now load the methodology skill for source-to-sink tracing, disprove-first analysis, confidence levels, severity calibration, and reporting standards. attack-surface-mapper is excluded as it does recon only. Co-Authored-By: Claude <noreply@anthropic.com>
…logy in all finding agents" This reverts commit 447d178.
…n and keywords Description now reflects the full scope: confidence levels, chain analysis, CWE mapping, remediation standards, dedup, scope, and opt-in PoC validation. Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR extracts cross-cutting vulnerability assessment guidance into a new standalone vuln-assessment-methodology capability and wires it into existing security-focused skills/agents so multiple capabilities can share consistent severity calibration, disprove-first discipline, and reporting standards.
Changes:
- Added new
vuln-assessment-methodologycapability (single skill) defining rules, severity matrix, confidence levels, reporting standards, and anti-patterns. - Updated
web-securityagent andvuln-criticskill to reference/loading guidance for the methodology skill. - Updated
.NETreversing and MCR analysis skills to reference the methodology and expanded guidance (including additional patterns and workflow notes).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| capabilities/web-security/skills/vuln-critic/SKILL.md | References the new methodology skill as the source for severity/anti-patterns guidance. |
| capabilities/web-security/agents/web-security.md | Adds instruction to load the methodology skill under Evidence Standards. |
| capabilities/vuln-assessment-methodology/skills/vuln-assessment-methodology/SKILL.md | New methodology skill with hard rules, severity/confidence guidance, reporting standards, and anti-patterns. |
| capabilities/vuln-assessment-methodology/capability.yaml | New capability definition/metadata for the methodology capability. |
| capabilities/dotnet-reversing/skills/mcr-analysis/SKILL.md | Adds methodology-skill load guidance and expands MCR-specific analysis and delegation guidance. |
| capabilities/dotnet-reversing/skills/dotnet-reversing/SKILL.md | Adds methodology references and expands vulnerability-pattern examples and reporting guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…te methodology frontmatter Path traversal "SAFE" example was bypassable via directory prefix collision (/app vs /app2). Normalize baseDir with trailing separator before StartsWith check. Also update vuln-assessment-methodology skill frontmatter description to reflect expanded scope. Co-Authored-By: Claude <noreply@anthropic.com>
mkultraWasHere
added a commit
that referenced
this pull request
Jun 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generic vulnerability assessment guidance was embedded in the
dotnet-reversingskill. This extracts it into a reusable capability and wires it intoweb-security.Added
vuln-assessment-methodologycapability — severity matrix, disprove-first rules, anti-patterns table, reporting standards. No tools/agents/workers, just a single skill for any security capability to load.Changed
dotnet-reversingskill now referencesvuln-assessment-methodologyfor generic methodology while retaining .NET-specific patterns (MarkupString, BinaryFormatter, JWT ReadToken, etc.), the severity table inline for standalone viability, and a compact pre-report checklistmcr-analysisskill adds "Not All MCR Images Are .NET" fallback guidance, MCR-specific attack surface targets (ONNX, ANSI parsers, Protobuf, URL parsers), repo prioritization tiers, and subagent delegation instructions referencing both skillsweb-securityagent references the methodology skill in Evidence Standardsvuln-criticskill references the methodology's severity matrix and anti-patterns tableNotes
dotnet-reversingskill duplicates the severity table from the methodology so it works standalone without the methodology loaded — intentional tradeoff