At first glance this seems kind of scary, but if it relies on already-reported CVEs, then doesn't that defeat the purpose of using it to breach a vulnerability? AFAIK, CVEs are only disclosed publicly after they've been patched. I could be wrong though.
Most of my personal beef with AI comes from the way that it's being framed as an end-all tool for everything, despite the fact that it really can only do a small subset of things right now. It's horrid at math, it's wrong about basic information given to it; I've had it give me code that just used a library that doesn't exist (granted, it only did this once).
It's a very new, shiny hammer, but a hammer isn't going to be able to carve a hole into wood. I look forward to it being regulated and finding a real, approachable niche for it to work into.