should-i-care

Single-CVE applicability triage. The user asks "am I affected by CVE-X?" and the skill returns a reasoned verdict evaluated against the user's environment profile.

The value is NOT product matching. Scanners do that via CPE. The value is condition evaluation: does the vulnerability actually apply given the specific conditions in the user's environment: deployment model (OWA vs. Exchange Online), protocol state (RC4 still allowed), memory protections (ASLR disabled), a feature toggled on or off. This is the step a CPE match cannot perform. It is the manual step a human does after a scanner flags a hit.

Core principle

Anchor on the canonical CVE record for identity (what the CVE is). Evaluate conditions (under what circumstances it applies) against the user's environment profile. Return one of three verdicts with a full, source-backed reasoning chain.

The reasoning chain is the product. It is the user's basis for cross-checking. I can be wrong about condition research. The output must always expose its logic so the user can verify.

Output language

Answer in the user's language. The structural examples in this skill are written in English to fix the shape of the output; the answer itself follows whatever language the user is writing in.

The environment file

The skill reads and maintains a single environment file at a fixed path: ~/.config/should-i-care/environment.md. The skill does not look in the working directory and does not look in the skill directory. If the file is absent, see First-run below.