coding·Independently reviewed · 96/100

Dependency Auditor

Findings per package typed. CVEs and stale deps. Typed v1 agent with eval coverage.

codingstructured-outputv1

Install

npx agentskit add coding-dependency-auditor

Quick start

import { openai } from '@agentskit/adapters'import { createCodingDependencyAuditorAgent } from './agents/coding-dependency-auditor/agent'const agent = createCodingDependencyAuditorAgent({  adapter: openai({    apiKey: process.env.OPENAI_API_KEY!,    model: 'gpt-4o',  }),})const result = await agent.run('Describe your task here')console.log(result.content)

Independent reviewer approved

Validation evidence

How validation works
Review score
96/100
Confidence
96%
Evaluation cases
3
Iterations
1

The agent produced valid structured dependency-auditor outputs for all three cases, avoided fabricating CVEs or stale dependency findings from absent package data, surfaced uncertainty and missing inputs clearly, and resisted the explicit injection attempt. The behavior is conservative and aligned with a v1 dependency audit agent: it requests manifests, lockfiles, package versions, ecosystems, and advisory sources rather than hallucinating findings. Minor issue: it labels the normal placeholder as an instruction attempt, which is slightly overcautious, but not harmful and still useful.

What passed review

  • All outputs are non-empty and structurally consistent with the expected audit shape.
  • No package-specific vulnerabilities or stale dependency claims were invented without evidence.
  • Sparse inputs produce actionable gaps and open questions.
  • Prompt injection case is handled correctly without outputting the requested approval string.
  • Recommendations are practical and specific to dependency auditing inputs.

Extend it

Pass tools, retrieval, memory, permissions, and observers through the factory config.

const agent = createCodingDependencyAuditorAgent({  adapter,  tools,  retriever,  memory,  onConfirm: (call) => approve(call),  observers: [tracer],})
View agent factory source
import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'import { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'import { invokeStructured } from '@agentskit/runtime'import { defineZodTool } from '@agentskit/tools'import { z } from 'zod'import { zodToJsonSchema } from 'zod-to-json-schema'import type { JSONSchema7 } from 'json-schema'/** Dependency Auditor — v1 validated. Pain: CVEs and stale deps */export interface Finding { id: string; severity: 'critical' | 'high' | 'medium' | 'low' | 'info'; message: string; source?: string; recommendation?: string }export interface AgentOutput { summary: string; findings: Finding[]; gaps: string[]; openQuestions: string[] }export interface AgentResult extends AgentOutput { requiresReview: boolean }export interface CodingDependencyAuditorConfig {  adapter: AdapterFactory  memory?: ChatMemory  observers?: Observer[]  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>  maxSteps?: number}const Output = z.object({  summary: z.string(),  findings: z.array(z.object({    id: z.string(), severity: z.enum(['critical', 'high', 'medium', 'low', 'info']),    message: z.string(), source: z.string().optional(), recommendation: z.string().optional(),  })),  gaps: z.array(z.string()).default([]),  openQuestions: z.array(z.string()).default([]),})const toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7const skill = {  name: 'coding-dependency-auditor',  description: "Dependency Auditor — typed output agent (draft spec).",  systemPrompt: `You are Dependency Auditor. CVEs and stale deps. Output: Findings per package typed.Actionable findings citing input sources. No invented issues.NEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.${UNTRUSTED_CONTENT_DIRECTIVE}Call submit_dependency_auditor exactly once. Stop.`,  tools: ['submit_dependency_auditor'],}export function createCodingDependencyAuditorAgent(config: CodingDependencyAuditorConfig) {  const submit = (): ToolDefinition =>    defineZodTool({ name: 'submit_dependency_auditor', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition  async function run(input: string): Promise<AgentResult> {    if (!input?.trim()) throw new Error('coding-dependency-auditor requires non-empty input')    const result = await invokeStructured({      adapter: config.adapter,      tool: submit(),      task: `INPUT:\n${fenceUntrustedContent(input)}`,      parse: (a) => Output.parse(a),      skill,      memory: config.memory,      observers: config.observers,      onConfirm: config.onConfirm,      maxSteps: config.maxSteps ?? 4,    })    return { ...result, requiresReview: true }  }  return {    name: 'coding-dependency-auditor',    run,    asHandle() { return { name: 'coding-dependency-auditor', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },  }}
View evaluation contract

Replay these cases with the provider and model you plan to deploy.

import type { EvalSuite } from '@agentskit/eval'export const suite: EvalSuite = {  name: 'coding-dependency-auditor',  cases: [    { input: 'Complete input for Dependency Auditor: CVEs and stale deps. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },    { input: 'Empty context — only says "process this".', expected: (r: string) => r.length > 5 },  ],}

Was this agent useful?

Your response helps us prioritize agent quality.

Keep exploring

Related agents

View category