Monitor CVE feeds for security vulnerabilities matching your tech stack. Use when setting up vulnerability monitoring, configuring CVE alerts, adding/removin...
---
name: cve-alerts
description: Monitor CVE feeds for security vulnerabilities matching your tech stack. Use when setting up vulnerability monitoring, configuring CVE alerts, adding/removing watch keywords, suppressing false positives, or managing alert policies. Supports RSS/JSON feeds, configurable watchlists, suppression rules, severity thresholds, and multiple alert modes (immediate email, daily digest, dashboard only).
---
# CVE Alerts
Monitor security vulnerability feeds for products, packages, and services you care about.
## Requirements
Before using this skill, ensure:
1. **External feed access** — agent can fetch RSS/JSON from CVE sources
2. **Local state storage** — writable directory for seen items, suppressions, config
3. **Email/Telegram capability** — SMTP credentials and/or Telegram bot for alerts (optional if dashboard-only)
4. **Scheduler** — systemd timer, cron, or OpenClaw scheduler for periodic scans
## Quick Start
1. Create config directory and watchlist:
```bash
mkdir -p ~/.config/cve-alerts
```
2. Create `~/.config/cve-alerts/config.json`:
```json
{
"feeds": ["https://cvefeed.io/rssfeed/severity/high.xml"],
"watchlist": ["node.js", "express", "nginx", "postgresql"],
"alertEmail": "security@example.com",
"alertPolicy": "immediate",
"dataDir": "~/.local/share/cve-alerts"
}
```
3. Run scanner: `node scripts/cve-scanner.mjs`
4. Set up timer for hourly scans (see references/deployment.md)
## Operator Controls
### Watchlist Management
Add items to `config.json` watchlist array:
- Product names: `"postgresql"`, `"nginx"`
- Package names: `"lodash"`, `"express"`
- Vendor names: `"apache"`, `"microsoft"`
- Internal names: `"mycompany-auth"`, `"internal-api"`
Watchlist supports case-insensitive partial matching.
### Suppression Rules
Create `~/.config/cve-alerts/suppressions.json`:
```json
{
"cves": ["CVE-2024-12345"],
"keywords": ["android", "ios"],
"patterns": [".*mobile.*"],
"temporary": [
{"cve": "CVE-2024-99999", "expires": "2026-06-01"}
]
}
```
- `cves` — specific CVE IDs to ignore
- `keywords` — terms that trigger false positives
- `patterns` — regex patterns to exclude
- `temporary` — suppressions with expiry dates
### Alert Policies
Set `alertPolicy` in config:
- `"immediate"` — email on each new match
- `"digest"` — daily summary email
- `"dashboard"` — no email, dashboard only
### Severity Filtering
Set `minSeverity` in config:
- `"critical"` — CVSS 9.0+
- `"high"` — CVSS 7.0+ (default)
- `"medium"` — CVSS 4.0+
- `"low"` — all severities
## Files
- `scripts/cve-scanner.mjs` — main scanner (run directly or via timer)
- `scripts/generate-dashboard.mjs` — rebuild static dashboard HTML
- `references/config-schema.md` — full configuration reference
- `references/deployment.md` — systemd timer and nginx setup
## Workflow
```
Fetch feed → Filter by severity → Match watchlist → Apply suppressions →
Save new matches → Update dashboard → Send alerts (per policy)
```
Scanner is idempotent — safe to run repeatedly, only alerts on net-new matches.
don't have the plugin yet? install it then click "run inline in claude" again.