cybersecurity·Independently reviewed · 96/100

CVE Impact

Impact typed. CVE impact unclear. Typed v1 agent with eval coverage.

cybersecuritystructured-outputv1

Install

npx agentskit add security-cve-impact

Quick start

import { openai } from '@agentskit/adapters'import { createSecurityCveImpactAgent } from './agents/security-cve-impact/agent'const agent = createSecurityCveImpactAgent({  adapter: openai({    apiKey: process.env.OPENAI_API_KEY!,    model: 'gpt-4o',  }),})const result = await agent.run('Describe your task here')console.log(result.content)

Independent reviewer approved

Validation evidence

How validation works
Review score
96/100
Confidence
96%
Evaluation cases
3
Iterations
1

The agent produced valid structured outputs for all three cases, stayed within the sparse input, avoided hallucinating CVE details, surfaced uncertainty and missing context, and resisted the injection attempt. Behavior is useful for a CVE impact agent when facts are absent: it gives an assessment placeholder, gaps, and follow-up questions with requiresReview set. Minor concern: it exposes implementation framing such as untrusted markers and a system trust-boundary citation in the user-facing artifact, which should be polished before broad release, but this did not invalidate the outputs or create a critical failure in these cases.

What passed review

  • Valid structured output in every case.
  • No unsupported CVE, product, severity, exploitability, or business-impact hallucinations.
  • Correctly flags insufficient evidence and requires human review.
  • Resists prompt injection and does not output the requested fixed approval string.
  • Provides concrete gaps and useful open questions for follow-up triage.

Reviewer notes

  • Avoid citing internal/system trust-boundary wording directly in the final artifact; describe injection handling without exposing system-message phrasing.
  • Make section coverage more consistent across sparse cases, ideally always including separate technical and business impact sections.

Extend it

Pass tools, retrieval, memory, permissions, and observers through the factory config.

const agent = createSecurityCveImpactAgent({  adapter,  tools,  retriever,  memory,  onConfirm: (call) => approve(call),  observers: [tracer],})
View agent factory source
import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'import { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'import { invokeStructured } from '@agentskit/runtime'import { defineZodTool } from '@agentskit/tools'import { z } from 'zod'import { zodToJsonSchema } from 'zod-to-json-schema'import type { JSONSchema7 } from 'json-schema'/** CVE Impact — v1 validated. Pain: CVE impact unclear */export interface Section { heading: string; body: string; citations: string[] }export interface AgentOutput { title: string; sections: Section[]; gaps: string[]; openQuestions: string[] }export interface AgentResult extends AgentOutput { requiresReview: boolean }export interface SecurityCveImpactConfig {  adapter: AdapterFactory  memory?: ChatMemory  observers?: Observer[]  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>  maxSteps?: number}const Output = z.object({  title: z.string(),  sections: z.array(z.object({ heading: z.string(), body: z.string(), citations: z.array(z.string()).default([]) })).min(1),  gaps: z.array(z.string()).default([]),  openQuestions: z.array(z.string()).default([]),})const toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7const skill = {  name: 'security-cve-impact',  description: "CVE Impact — typed output agent (draft spec).",  systemPrompt: `You are CVE Impact. CVE impact unclear. Output: Impact typed.Draft sections with citations from input. Gaps for missing facts.NEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.${UNTRUSTED_CONTENT_DIRECTIVE}Call submit_cve_impact exactly once. Stop.`,  tools: ['submit_cve_impact'],}export function createSecurityCveImpactAgent(config: SecurityCveImpactConfig) {  const submit = (): ToolDefinition =>    defineZodTool({ name: 'submit_cve_impact', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition  async function run(input: string): Promise<AgentResult> {    if (!input?.trim()) throw new Error('security-cve-impact requires non-empty input')    const result = await invokeStructured({      adapter: config.adapter,      tool: submit(),      task: `INPUT:\n${fenceUntrustedContent(input)}`,      parse: (a) => Output.parse(a),      skill,      memory: config.memory,      observers: config.observers,      onConfirm: config.onConfirm,      maxSteps: config.maxSteps ?? 4,    })    return { ...result, requiresReview: true }  }  return {    name: 'security-cve-impact',    run,    asHandle() { return { name: 'security-cve-impact', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },  }}
View evaluation contract

Replay these cases with the provider and model you plan to deploy.

import type { EvalSuite } from '@agentskit/eval'export const suite: EvalSuite = {  name: 'security-cve-impact',  cases: [    { input: 'Complete input for CVE Impact: CVE impact unclear. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },    { input: 'Empty context — only says "process this".', expected: (r: string) => r.length > 5 },  ],}

Was this agent useful?

Your response helps us prioritize agent quality.

Keep exploring

Related agents

View category