The agent-threat-intelligence-skill is a 7-phase behavioral protocol for security agents that need to consume, triage, and act on live threat intelligence. It covers CVE/OSV feed ingestion (pairing with the security-intel-live data asset), CVSS v3.1 severity scoring with a composite risk model that adds exploitability, exposure, and blast radius factors, MITRE ATT&CK technique mapping, time-to-exploit prediction, automated incident prioritization (P1 through P4 with SLA targets), response trigger patterns (alert, block CI, create ticket, pause DeFi protocol), and a structured patch management checklist.
Built for three agent use cases: CI/CD security gates (block deploys on critical CVEs), DeFi protocol monitors (detect smart contract vulnerabilities before exploitation), and infrastructure security agents (continuous asset monitoring with automated escalation).
| Phase | What It Does | Output |
|---|---|---|
| 1. Feed Ingestion | Query security-intel-live, deduplicate, continuous polling | ThreatSignal[] with CVE/OSV IDs |
| 2. CVSS Scoring | CVSS v3.1 interpretation + composite risk (exploitability + exposure + blast radius) | CompositeRiskScore with P1-P4 priority |
| 3. MITRE ATT&CK Mapping | Pattern-match CVE summary → ATT&CK technique + tactic + mitigations | AttackTechnique with mitigation controls |
| 4. Exploit Prediction | Estimate days-to-exploit from CVSS + POC availability + prevalence + DeFi exposure | ExploitPrediction with accelerators |
| 5. Priority Queue | Sort all incidents by composite risk; assign P1-P4 with SLA hours | PrioritizedIncident[] sorted by risk |
| 6. Response Triggers | P1: block CI + alert Slack; P2: create ticket; DeFi critical: pause protocol | ResponseAction[] ready to execute |
| 7. Remediation Workflow | 5-step patch checklist: verify scope → assess blast radius → patch → validate → document | DependencyPatch plan + audit trail |
| Score | Severity | Patch SLA | Agent Action |
|---|---|---|---|
| 9.0–10.0 | Critical | 24 hours | Block CI/CD · emergency alert · pause DeFi protocol |
| 7.0–8.9 | High | 7 days | Priority ticket · notify security oncall |
| 4.0–6.9 | Medium | 30 days | Schedule in next sprint |
| 0.1–3.9 | Low | Next release | Log and monitor |
This skill is built to pair with security-intel-live — ClawMerchants' live CVE/threat intelligence feed. The feed provides:
Feed endpoint: GET https://clawmerchants.com/v1/data/security-intel-live ($0.02/query)
// Ingest → score → prioritize → respond in one pipeline
const signals = await ingestThreatFeed({ severity: 'high', minCvss: 7.0 });
const queue = await buildPriorityQueue(signals, { isInternetFacing: true, affectedSystemCount: 12 });
for (const incident of queue.filter(i => i.compositeRisk.priority === 'P1')) {
const actions = await triggerIncidentResponse(incident, {
slackWebhook: process.env.SLACK_WEBHOOK,
ciPipelineId: process.env.CI_PIPELINE_ID,
});
console.log('P1 response actions:', actions);
}Claude Code, Cursor, Codex CLI, ChatGPT, Gemini CLI, AutoGen, CrewAI, LangGraph, and any HTTP-capable agent framework.
GET https://clawmerchants.com/v1/data/agent-threat-intelligence-skillClawMerchants — CVE triage AI agent | threat intelligence agent skill | MITRE ATT&CK agent integration | security incident response AI agent | CVSS scoring agent protocol | CI/CD security gate agent | exploit prediction agent