marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claude-code-ultimate-guide/examples/commands/update-threat-db.md
Florian BRUNIAUX 91d36f00dd docs(examples): add YAML frontmatter to 20 command templates 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 19:20:36 +01:00

169 lines
5.1 KiB
Markdown
Raw Blame History

---
name: update-threat-db
description: "Research and update the AI agent security threat intelligence database"
---
# Update Threat Database
Research and update the AI agent security threat intelligence database with the latest threats, CVEs, malicious skills, and campaigns.
**Time**: 3-8 minutes | **Scope**: `examples/commands/resources/threat-db.yaml`
> Requires Perplexity MCP (or manual web search). Run monthly or after major security advisories.
## Instructions
You are a threat intelligence analyst specializing in AI coding agent security. Research the latest threats and update the threat database.
---
### Phase 1: Current State Assessment
Read the current threat database:
```
Read examples/commands/resources/threat-db.yaml
```
Note:
- Current `version` and `updated` date
- Number of malicious authors, skills, CVEs, campaigns
- Most recent entries to avoid duplicates
---
### Phase 2: Research New Threats
Run **4 targeted Perplexity searches** (parallel when possible):
**Search 1: New malicious skills & campaigns**
```
Query: "malicious AI agent skills ClawHub OpenClaw skills.sh 2026 new campaigns malware supply chain"
Focus: New malicious skill names, authors, campaigns not already in threat-db.yaml
```
**Search 2: New MCP server CVEs**
```
Query: "MCP server CVE vulnerability 2025 2026 model context protocol security advisory"
Focus: New CVEs for MCP servers, SDK vulnerabilities, transport-level flaws
```
**Search 3: New attack techniques**
```
Query: "AI coding agent attack prompt injection Claude Code Cursor supply chain security research 2026"
Focus: New attack vectors, techniques, research papers
```
**Search 4: New defensive tools & blocklists**
```
Query: "MCP security scanner tool mcp-scan alternative AI agent skills security scanning 2026"
Focus: New scanning tools, blocklists, defensive frameworks
```
If Perplexity MCP is unavailable, use WebSearch for each query.
---
### Phase 3: Analyze & Deduplicate
For each finding from Phase 2:
1. **Check if already in threat-db.yaml** — skip duplicates
2. **Verify source credibility** — prefer: CVE databases, security vendor blogs, peer-reviewed research
3. **Categorize** — which section does it belong to?
- `malicious_authors` — new confirmed malicious publishers
- `malicious_skills` — new confirmed malicious skill/package names
- `malicious_skill_patterns` — new prefix patterns for wildcard matching
- `cve_database` — new CVEs with component, severity, fixed_in
- `minimum_safe_versions` — update if new patches available
- `iocs` — new C2 IPs, exfil URLs, malware hashes
- `campaigns` — new coordinated campaigns
- `attack_techniques` — new documented attack vectors
- `scanning_tools` — new tools or major updates
- `defensive_resources` — new frameworks, blocklists
4. **Assess risk level**:
- `critical` — confirmed malicious, active exploitation
- `high` — confirmed vulnerable, exploit available
- `medium` — theoretical risk, no known exploitation
- `low` — informational
---
### Phase 4: Update threat-db.yaml
Apply changes following these rules:
1. **Bump version** — increment minor (e.g. 2.0.0 → 2.1.0) for new entries, major for schema changes
2. **Update `updated` date** — set to today
3. **Add new sources** — add any new research sources to the `sources` list
4. **Maintain YAML validity** — use single quotes for patterns containing backslashes
5. **Preserve existing entries** — never remove entries unless confirmed false positive
6. **Follow existing format** — match the structure of existing entries exactly
**Important**: After editing, validate YAML:
```bash
python3 -c "import yaml; yaml.safe_load(open('examples/commands/resources/threat-db.yaml')); print('YAML valid')"
```
---
### Phase 5: Update Dependent Files (if needed)
Check if new CVEs should also be added to the security hardening guide:
```bash
# Count current CVEs in threat-db vs security-hardening
grep -c "id:" examples/commands/resources/threat-db.yaml
grep -c "CVE-" guide/security-hardening.md
```
If major new CVEs found (severity critical/high):
- Consider adding to `guide/security-hardening.md` CVE table
- Update `minimum_safe_versions` if new patches released
---
### Phase 6: Summary Report
## Output Format
```
## Threat Database Update Report
**Date**: [timestamp]
**Previous version**: [old version]
**New version**: [new version]
### Changes Summary
| Category | Added | Updated | Total |
|----------|-------|---------|-------|
| Malicious authors | +X | ~X | XX |
| Malicious skills | +X | ~X | XX |
| CVEs | +X | ~X | XX |
| Campaigns | +X | ~X | XX |
| IOCs | +X | ~X | XX |
| Attack techniques | +X | ~X | XX |
| Scanning tools | +X | ~X | XX |
### New Entries
[List each new entry with source and risk level]
### Notable Findings
[Highlight anything particularly important or urgent]
### No Changes Needed
[If nothing new found, explain what was searched and confirmed up-to-date]
### Next Steps
- [ ] Run `/security-check` to test against updated database
- [ ] Update `guide/security-hardening.md` if new critical CVEs
- [ ] Commit: `docs(security): update threat-db vX.Y.Z — [summary]`
```
$ARGUMENTS
Reference in a new issue View git blame Copy permalink