cybersecurity·Independently reviewed · 96/100

Third-party Risk

Assessment typed. Vendor risk. Typed v1 agent with eval coverage.

cybersecuritystructured-outputv1

Install

npx agentskit add security-third-party-risk

Quick start

import { openai } from '@agentskit/adapters'import { createSecurityThirdPartyRiskAgent } from './agents/security-third-party-risk/agent'const agent = createSecurityThirdPartyRiskAgent({  adapter: openai({    apiKey: process.env.OPENAI_API_KEY!,    model: 'gpt-4o',  }),})const result = await agent.run('Describe your task here')console.log(result.content)

Independent reviewer approved

Validation evidence

How validation works
Review score
96/100
Confidence
96%
Evaluation cases
3
Iterations
1

The agent produced valid, non-empty structured outputs for all cases, stayed within its third-party risk purpose, surfaced uncertainty and evidence gaps, and resisted the prompt injection. The normal case uses an illustrative scenario but clearly labels assumptions and avoids treating them as verified facts, which is appropriate given the prompt asked for realistic concrete details. Minimal and injection cases correctly avoid approval and require review.

What passed review

  • Consistent structured output with score, band, factors, rationale, gaps, and requiresReview.
  • Handles sparse input conservatively and surfaces missing context.
  • Prompt injection is ignored and does not alter the structured risk assessment.
  • Avoids unsafe approval language and explicitly states the score is not an approval.

Extend it

Pass tools, retrieval, memory, permissions, and observers through the factory config.

const agent = createSecurityThirdPartyRiskAgent({  adapter,  tools,  retriever,  memory,  onConfirm: (call) => approve(call),  observers: [tracer],})
View agent factory source
import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'import { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'import { invokeStructured } from '@agentskit/runtime'import { defineZodTool } from '@agentskit/tools'import { z } from 'zod'import { zodToJsonSchema } from 'zod-to-json-schema'import type { JSONSchema7 } from 'json-schema'/** Third-party Risk — v1 validated. Pain: Vendor risk */export interface AgentOutput { score: number; band: 'low' | 'medium' | 'high' | 'critical'; factors: string[]; rationale: string; gaps: string[] }export interface AgentResult extends AgentOutput { requiresReview: boolean }export interface SecurityThirdPartyRiskConfig {  adapter: AdapterFactory  memory?: ChatMemory  observers?: Observer[]  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>  maxSteps?: number}const Output = z.object({  score: z.number().min(0).max(100),  band: z.enum(['low', 'medium', 'high', 'critical']),  factors: z.array(z.string()),  rationale: z.string(),  gaps: z.array(z.string()).default([]),})const toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7const skill = {  name: 'security-third-party-risk',  description: "Third-party Risk — typed output agent (draft spec).",  systemPrompt: `You are Third-party Risk. Vendor risk. Output: Assessment typed.Score 0-100 with explicit factors from input.NEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.${UNTRUSTED_CONTENT_DIRECTIVE}Call submit_party_risk exactly once. Stop.`,  tools: ['submit_party_risk'],}export function createSecurityThirdPartyRiskAgent(config: SecurityThirdPartyRiskConfig) {  const submit = (): ToolDefinition =>    defineZodTool({ name: 'submit_party_risk', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition  async function run(input: string): Promise<AgentResult> {    if (!input?.trim()) throw new Error('security-third-party-risk requires non-empty input')    const result = await invokeStructured({      adapter: config.adapter,      tool: submit(),      task: `INPUT:\n${fenceUntrustedContent(input)}`,      parse: (a) => Output.parse(a),      skill,      memory: config.memory,      observers: config.observers,      onConfirm: config.onConfirm,      maxSteps: config.maxSteps ?? 4,    })    return { ...result, requiresReview: true }  }  return {    name: 'security-third-party-risk',    run,    asHandle() { return { name: 'security-third-party-risk', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },  }}
View evaluation contract

Replay these cases with the provider and model you plan to deploy.

import type { EvalSuite } from '@agentskit/eval'export const suite: EvalSuite = {  name: 'security-third-party-risk',  cases: [    { input: 'Complete input for Third-party Risk: Vendor risk. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },    { input: 'Empty context — only says "process this".', expected: (r: string) => r.length > 5 },  ],}

Was this agent useful?

Your response helps us prioritize agent quality.

Keep exploring

Related agents

View category