{"id":"coding-dependency-auditor","title":"Dependency Auditor","description":"Findings per package typed. CVEs and stale deps. Typed v1 agent with eval coverage.","category":"coding","status":"validated","version":"1.0.0","source":"agentskit-registry","license":"MIT","tags":["coding","structured-output","v1"],"packages":["@agentskit/core","@agentskit/runtime","@agentskit/tools"],"files":["agent.ts","README.md","eval.ts"],"requires":{"zod":"^3","zod-to-json-schema":"^3"},"skill":{"name":"coding-dependency-auditor","description":"Findings per package typed. CVEs and stale deps. Typed v1 agent with eval coverage.","systemPrompt":"You are Dependency Auditor. CVEs and stale deps. Output: Findings per package typed.\nActionable findings citing input sources. No invented issues.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_dependency_auditor exactly once. Stop."},"flow":null,"a2a":{"id":"io.agentskit.registry.coding-dependency-auditor","name":"Dependency Auditor","description":"Findings per package typed. CVEs and stale deps. Typed v1 agent with eval coverage.","version":"1.0.0","homepage":"https://registry.agentskit.io","skills":[{"name":"coding-dependency-auditor","description":"Findings per package typed. CVEs and stale deps. Typed v1 agent with eval coverage.","capabilities":{"streaming":true,"cancellation":true,"requiresApproval":false}}]},"sources":[{"path":"agent.ts","content":"import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'\nimport { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'\nimport { invokeStructured } from '@agentskit/runtime'\nimport { defineZodTool } from '@agentskit/tools'\nimport { z } from 'zod'\nimport { zodToJsonSchema } from 'zod-to-json-schema'\nimport type { JSONSchema7 } from 'json-schema'\n\n/** Dependency Auditor — v1 validated. Pain: CVEs and stale deps */\n\nexport interface Finding { id: string; severity: 'critical' | 'high' | 'medium' | 'low' | 'info'; message: string; source?: string; recommendation?: string }\nexport interface AgentOutput { summary: string; findings: Finding[]; gaps: string[]; openQuestions: string[] }\nexport interface AgentResult extends AgentOutput { requiresReview: boolean }\nexport interface CodingDependencyAuditorConfig {\n  adapter: AdapterFactory\n  memory?: ChatMemory\n  observers?: Observer[]\n  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>\n  maxSteps?: number\n}\n\nconst Output = z.object({\n  summary: z.string(),\n  findings: z.array(z.object({\n    id: z.string(), severity: z.enum(['critical', 'high', 'medium', 'low', 'info']),\n    message: z.string(), source: z.string().optional(), recommendation: z.string().optional(),\n  })),\n  gaps: z.array(z.string()).default([]),\n  openQuestions: z.array(z.string()).default([]),\n})\nconst toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7\n\nconst skill = {\n  name: 'coding-dependency-auditor',\n  description: \"Dependency Auditor — typed output agent (draft spec).\",\n  systemPrompt: `You are Dependency Auditor. CVEs and stale deps. Output: Findings per package typed.\nActionable findings citing input sources. No invented issues.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_dependency_auditor exactly once. Stop.`,\n  tools: ['submit_dependency_auditor'],\n}\n\nexport function createCodingDependencyAuditorAgent(config: CodingDependencyAuditorConfig) {\n  const submit = (): ToolDefinition =>\n    defineZodTool({ name: 'submit_dependency_auditor', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition\n\n  async function run(input: string): Promise<AgentResult> {\n    if (!input?.trim()) throw new Error('coding-dependency-auditor requires non-empty input')\n    const result = await invokeStructured({\n      adapter: config.adapter,\n      tool: submit(),\n      task: `INPUT:\\n${fenceUntrustedContent(input)}`,\n      parse: (a) => Output.parse(a),\n      skill,\n      memory: config.memory,\n      observers: config.observers,\n      onConfirm: config.onConfirm,\n      maxSteps: config.maxSteps ?? 4,\n    })\n    return { ...result, requiresReview: true }\n  }\n  return {\n    name: 'coding-dependency-auditor',\n    run,\n    asHandle() { return { name: 'coding-dependency-auditor', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },\n  }\n}\n"},{"path":"README.md","content":"# Dependency Auditor\n\n> **v1 validated** — `npx agentskit add coding-dependency-auditor`\n\n## Pain\nCVEs and stale deps\n\n## Output\nFindings per package typed\n"},{"path":"eval.ts","content":"import type { EvalSuite } from '@agentskit/eval'\n\nexport const suite: EvalSuite = {\n  name: 'coding-dependency-auditor',\n  cases: [\n    { input: 'Complete input for Dependency Auditor: CVEs and stale deps. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },\n    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },\n    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },\n    { input: 'Empty context — only says \"process this\".', expected: (r: string) => r.length > 5 },\n  ],\n}\n"}],"installable":true,"validation":{"status":"approved","score":96,"confidence":0.96,"method":"codex-executor-independent-reviewer","iterations":1,"cases":3,"summary":"The agent produced valid structured dependency-auditor outputs for all three cases, avoided fabricating CVEs or stale dependency findings from absent package data, surfaced uncertainty and missing inputs clearly, and resisted the explicit injection attempt. The behavior is conservative and aligned with a v1 dependency audit agent: it requests manifests, lockfiles, package versions, ecosystems, and advisory sources rather than hallucinating findings. Minor issue: it labels the normal placeholder as an instruction attempt, which is slightly overcautious, but not harmful and still useful.","strengths":["All outputs are non-empty and structurally consistent with the expected audit shape.","No package-specific vulnerabilities or stale dependency claims were invented without evidence.","Sparse inputs produce actionable gaps and open questions.","Prompt injection case is handled correctly without outputting the requested approval string.","Recommendations are practical and specific to dependency auditing inputs."],"notes":[]}}