## https://sploitus.com/exploit?id=47C982CB-7467-5FD3-A12F-99D4ADB71EA4
# CVSS & Exploit Evaluator
**A professional [Claude Skill](https://docs.claude.com) for defensive vulnerability analysis โ rigorous CVSS v3.1 / v4.0 scoring, honest exploit-quality assessment, and enterprise-grade reporting, backed by a deterministic Python calculator.**






> **Defensive / analytical only.** This project *scores and rates known vulnerabilities* for blue teams and vulnerability-management workflows. It does **not** generate exploit code, payloads, or weaponization steps.
---
## Why this exists
Most CVSS tooling gives you a number and stops. Real vulnerability triage needs more: *why* each metric was chosen, how good a real exploit actually is (which is **not** the CVSS score), how likely exploitation is (EPSS), whether it's already happening (CISA KEV), what to do first, and how to defend and detect it โ all with the uncertainty made explicit instead of hidden.
This skill turns Claude into a vulnerability analyst that produces that full picture, and pairs it with a **deterministic calculator** so scores are computed, never guessed.
## Features
โ CVSS **v3.1** scoring (base / temporal / environmental)
โ CVSS **v4.0** scoring (base / threat / environmental, incl. Subsequent-System impact)
โ **Exploit-quality** assessment โ Exploitability vs Weaponization, five-tier scale
โ **EPSS**, **CISA KEV**, and **SSVC** prioritization (kept as separate lenses)
โ **CWE** and **MITRE ATT&CK** cross-referencing (with anti-fabrication guardrails)
โ **Remediation guidance** โ CWE โ developer secure-coding fixes (`--remediate`)
โ **Evidence tables**, assumption registers, contradiction detection, confidence scoring
โ **Deterministic Python calculator** โ 8 modes, with a dependency-free fallback
โ **Operational response** โ attack graph, mitigation matrix, detection, IOCs, timeline
โ **Regression-tested** against known vectors
Designed for **blue teams, vulnerability-management, and threat-intel** workflows โ and as a reference implementation for Claude Skill authors.
## Architecture
```
User query (CVE / description / vector)
|
v
Claude Skill (SKILL.md)
|
+------------+------------+
| |
v v
Python calculator Reference library
(scripts/cvss_calc.py) (references/*.md)
| |
+------------+------------+
|
v
Evidence-based analysis
|
v
Report: CVSS + exploit + prioritization + response
```
See [`assets/architecture.svg`](assets/architecture.svg) and [`docs/architecture.md`](docs/architecture.md).

## Example output (abridged)
> Query: *"Evaluate CVE-2021-44228 (Log4Shell). Is the exploit any good?"*
**Executive Summary** โ Maximum-severity (CVSS 10.0) unauthenticated remote code execution in Apache Log4j 2, triggered by getting the app to log a crafted string. Weaponized within hours, mass-exploited, and in CISA KEV. Patch immediately, then hunt for prior compromise.
**CVSS** โ `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` โ **10.0 (Critical)** (computed).
**Exploit** โ Exploitability: *Excellent* ยท Weaponization: *Excellent* ยท deterministic bug class, turnkey, active in the wild.
**Prioritization** โ CVSS 10.0 ยท EPSS: historically near-max *(verify live)* ยท KEV: listed *(verify)* ยท SSVC: **Act**.
Full worked report: [`examples/log4shell-CVE-2021-44228.md`](examples/log4shell-CVE-2021-44228.md). Ten worked CVE reports live in [`examples/`](examples/).
## Repository structure
```
cvss-exploit-evaluator/
โโโ README.md โ you are here
โโโ LICENSE โ MIT
โโโ CHANGELOG.md โ version history
โโโ CONTRIBUTING.md โ how to contribute
โโโ CODE_OF_CONDUCT.md
โโโ SECURITY.md โ reporting + disclosure policy
โโโ ROADMAP.md โ planned work
โโโ REFERENCES.md โ authoritative sources / attribution
โโโ SKILL.md โ the Claude Skill (entry point)
โโโ references/ โ 9 deep-dive analyst references
โโโ scripts/
โ โโโ cvss_calc.py โ deterministic CVSS calculator (8 modes)
โโโ examples/ โ 10 worked CVE reports
โโโ tests/ โ regression suite + golden vectors
โโโ docs/ โ architecture, workflow, FAQ, limitations, philosophy, API
โโโ assets/ โ diagrams (SVG)
โโโ .github/ โ CI, issue templates, PR template
```
## Installation
**As a Claude Skill** โ upload the packaged `.skill` (or this repo's `SKILL.md` + `references/` + `scripts/`) via your Claude Skills interface. See [`docs/workflow.md`](docs/workflow.md).
**Calculator (standalone):**
```bash
git clone https://github.com/david500900/cvss-exploit-evaluator.git
cd cvss-exploit-evaluator
pip install cvss # for v4.0 + temporal/environmental (v3.1 base works without it)
python3 scripts/cvss_calc.py "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
```
Requires Python 3.8+. The `cvss` library (Red Hat Product Security) is the only runtime dependency, and the calculator auto-installs it when possible; a dependency-free fallback covers v3.1 base scoring if it's unavailable.
## Usage โ calculator modes
```bash
python3 scripts/cvss_calc.py "" # full score + severity
python3 scripts/cvss_calc.py --json "" # machine-readable
python3 scripts/cvss_calc.py --compare "" "" # side-by-side + delta
python3 scripts/cvss_calc.py --sensitivity "" # most influential metric
python3 scripts/cvss_calc.py --check "" --claims "unauth,remote,rce" # consistency
python3 scripts/cvss_calc.py --explain "" # plain-English metric breakdown
python3 scripts/cvss_calc.py --remediate CWE-502 # secure-coding fix guidance
python3 scripts/cvss_calc.py --vector "AV:N/..." # prefix auto-added (convenience)
python3 scripts/cvss_calc.py --version # reproducibility metadata
python3 scripts/cvss_calc.py --batch vectors.txt # triage table, sorted
```
Full CLI reference: [`docs/api.md`](docs/api.md).

## Developer experience
You don't have to hand-write CVSS vectors. **The skill is the natural-language
layer**: describe the problem โ *"I have `pickle.loads(user_input)` in a Flask
route, how bad is it and how do I fix it?"* โ and Claude builds the vector, scores
it, and pulls remediation. The Python CLI is the deterministic engine underneath,
for automation and CI.
- **Actionability:** `--remediate CWE-502` (or a keyword like `deserialization`)
returns concrete secure-coding fixes โ e.g. don't deserialize untrusted data with
`pickle`; use JSON with schema validation (pydantic/marshmallow); sign payloads if
a rich format is unavoidable. It's general guidance to validate, not a guaranteed
fix, and it never fabricates library versions or infers the CWE from a score.
- **Low friction:** the CLI accepts `--vector "AV:N/..."` and bare vectors without
the `CVSS:3.1/` prefix (it auto-adds 3.1 and says so).
- **Dependency-optional, not dependency-free:** v3.1 **base** scoring runs with zero
third-party deps (built-in fallback); v4.0, temporal, and environmental scoring
use the `cvss` library. Nothing is sent to a third-party service โ analysis is
local.
## Tests & benchmark
```bash
pip install cvss
python3 -m unittest discover -s tests -v
```
**Current result:** 19 tests, **12 golden vectors, all passing, 0 calculator errors.**
Honest scope: these verify the calculator **reproduces reference CVSS v3.1/v4.0 scores** (via the FIRST-conformant `cvss` library) and that every CLI mode behaves. They do **not** claim agreement with any specific NVD analyst record โ analyst scoring involves judgement, and the skill is explicit about where reasonable analysts can differ. See [`tests/README.md`](tests/README.md).
## How it compares
| Capability | This skill | Basic CVSS calculator |
|------------|:----------:|:---------------------:|
| CVSS v3.1 | โ | โ |
| CVSS v4.0 | โ | โ ๏ธ sometimes |
| Temporal / Environmental | โ | โ ๏ธ sometimes |
| Exploit-quality rating | โ | โ |
| EPSS / KEV / SSVC context | โ | โ |
| CWE / ATT&CK mapping | โ | โ |
| Remediation / fix guidance | โ | โ |
| Evidence tables + assumptions | โ | โ |
| Consistency & sensitivity tooling | โ | โ |
| Attack graph / mitigation / detection / IOCs | โ | โ |
| Explicit uncertainty handling | โ | โ |
## Limitations
- Not a substitute for hands-on validation โ **real-world exploitability, patch status, KEV membership, and EPSS change** and must be verified against primary sources.
- v4.0 and temporal/environmental scoring need the `cvss` library where the calculator runs.
- The skill relies on model knowledge up to its training cutoff for anything not provided in the request; **current events and live signals (KEV/EPSS) must be re-checked**.
- CWE/ATT&CK IDs and product detection claims are flagged **verify, don't fabricate** โ the skill will not invent identifiers or assert that a specific product detects a specific CVE.
Full detail: [`docs/limitations.md`](docs/limitations.md).
## Philosophy
Honesty over false confidence; evidence over intuition; and a hard separation between *severity* (CVSS), *exploitability* (the exploit), and *likelihood/priority* (EPSS/KEV/SSVC) โ never blended into one misleading number. See [`docs/design-philosophy.md`](docs/design-philosophy.md).
## Roadmap ยท Contributing ยท References
- Planned work โ [`ROADMAP.md`](ROADMAP.md)
- How to contribute โ [`CONTRIBUTING.md`](CONTRIBUTING.md) ยท [`SECURITY.md`](SECURITY.md) ยท [`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md)
- Authoritative sources / attribution โ [`REFERENCES.md`](REFERENCES.md)
## License
[MIT](LICENSE). Not affiliated with or endorsed by FIRST, MITRE, CISA, or Anthropic; those names refer to their respective standards/organizations and are used for interoperability and attribution only.
**Suggested GitHub topics:** `cvss` ยท `cybersecurity` ยท `claude` ยท `anthropic` ยท `blue-team` ยท `vulnerability-management` ยท `security` ยท `prompt-engineering` ยท `ai` ยท `defensive-security`