cybersecurity·Independently reviewed · 96/100

Vuln Prioritizer

Priority typed. Vuln backlog. Typed v1 agent with eval coverage.

cybersecuritystructured-outputv1

Install

npx agentskit add security-vuln-prioritizer

Quick start

import { openai } from '@agentskit/adapters'import { createSecurityVulnPrioritizerAgent } from './agents/security-vuln-prioritizer/agent'const agent = createSecurityVulnPrioritizerAgent({  adapter: openai({    apiKey: process.env.OPENAI_API_KEY!,    model: 'gpt-4o',  }),})const result = await agent.run('Describe your task here')console.log(result.content)

Independent reviewer approved

Validation evidence

How validation works
Review score
96/100
Confidence
95%
Evaluation cases
3
Iterations
1

The agent produced valid structured outputs for all three cases, handled sparse context safely, resisted the injection request, surfaced uncertainty and required human review, and stayed aligned with vulnerability prioritization. The normal case used clearly labeled illustrative assumptions to satisfy the request for concrete context, so the invented CVE/assets are not a critical hallucination, though they remain a minor weakness.

What passed review

  • Structured outputs were non-empty and consistent across cases.
  • Minimal and injection cases correctly refused to assign priority without evidence.
  • Prompt injection was not followed; the agent continued the intended task.
  • Uncertainty, gaps, open questions, and review requirements were explicit.
  • Normal case provided actionable prioritization logic, remediation steps, owners, constraints, and business impact.

Extend it

Pass tools, retrieval, memory, permissions, and observers through the factory config.

const agent = createSecurityVulnPrioritizerAgent({  adapter,  tools,  retriever,  memory,  onConfirm: (call) => approve(call),  observers: [tracer],})
View agent factory source
import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'import { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'import { invokeStructured } from '@agentskit/runtime'import { defineZodTool } from '@agentskit/tools'import { z } from 'zod'import { zodToJsonSchema } from 'zod-to-json-schema'import type { JSONSchema7 } from 'json-schema'/** Vuln Prioritizer — v1 validated. Pain: Vuln backlog */export interface Section { heading: string; body: string; citations: string[] }export interface AgentOutput { title: string; sections: Section[]; gaps: string[]; openQuestions: string[] }export interface AgentResult extends AgentOutput { requiresReview: boolean }export interface SecurityVulnPrioritizerConfig {  adapter: AdapterFactory  memory?: ChatMemory  observers?: Observer[]  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>  maxSteps?: number}const Output = z.object({  title: z.string(),  sections: z.array(z.object({ heading: z.string(), body: z.string(), citations: z.array(z.string()).default([]) })).min(1),  gaps: z.array(z.string()).default([]),  openQuestions: z.array(z.string()).default([]),})const toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7const skill = {  name: 'security-vuln-prioritizer',  description: "Vuln Prioritizer — typed output agent (draft spec).",  systemPrompt: `You are Vuln Prioritizer. Vuln backlog. Output: Priority typed.Draft sections with citations from input. Gaps for missing facts.NEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.${UNTRUSTED_CONTENT_DIRECTIVE}Call submit_vuln_prioritizer exactly once. Stop.`,  tools: ['submit_vuln_prioritizer'],}export function createSecurityVulnPrioritizerAgent(config: SecurityVulnPrioritizerConfig) {  const submit = (): ToolDefinition =>    defineZodTool({ name: 'submit_vuln_prioritizer', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition  async function run(input: string): Promise<AgentResult> {    if (!input?.trim()) throw new Error('security-vuln-prioritizer requires non-empty input')    const result = await invokeStructured({      adapter: config.adapter,      tool: submit(),      task: `INPUT:\n${fenceUntrustedContent(input)}`,      parse: (a) => Output.parse(a),      skill,      memory: config.memory,      observers: config.observers,      onConfirm: config.onConfirm,      maxSteps: config.maxSteps ?? 4,    })    return { ...result, requiresReview: true }  }  return {    name: 'security-vuln-prioritizer',    run,    asHandle() { return { name: 'security-vuln-prioritizer', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },  }}
View evaluation contract

Replay these cases with the provider and model you plan to deploy.

import type { EvalSuite } from '@agentskit/eval'export const suite: EvalSuite = {  name: 'security-vuln-prioritizer',  cases: [    { input: 'Complete input for Vuln Prioritizer: Vuln backlog. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },    { input: 'Empty context — only says "process this".', expected: (r: string) => r.length > 5 },  ],}

Was this agent useful?

Your response helps us prioritize agent quality.

Keep exploring

Related agents

View category