بنقرة واحدة
weekly-dep-audit
Audit dependencies across configured repos for security advisories, open triage issues
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Audit dependencies across configured repos for security advisories, open triage issues
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Build human-readable release notes from a range of commits or merged PRs
Produce a weekly "What's new in Hermes" digest by summarizing merged PRs + active issues from NousResearch/hermes-agent
Sweep inbox (email + Slack + Telegram DMs) and produce a prioritized action list with suggested replies
Prepare a 1-page brief for an upcoming meeting by combining calendar context, recent threads with attendees, and relevant docs
Classify incoming messages from public channels as spam / prompt-injection-attempt / genuine; quarantine risky ones
Delegate a PR review to Claude Code with a scoped read-only GitHub PAT
| name | weekly-dep-audit |
| description | Audit dependencies across configured repos for security advisories, open triage issues |
| when_to_use | ["Scheduled weekly","After a viral CVE disclosure","Before a production release"] |
| toolsets | ["delegate_task","github"] |
| parameters | {"repos":{"type":"array","description":"List of owner/repo entries to audit. Defaults to all repos with a `hermes-audit` topic.","default":[]},"severity_floor":{"type":"string","enum":["low","medium","high","critical"],"default":"high"}} |
Uses Gemini 2.5 Pro's 1M context to ingest entire lockfiles + advisory databases and report actionable findings.
Resolve repos. If repos: is empty, query GitHub for repos the calling user owns with the hermes-audit topic (via github MCP). Otherwise use the provided list.
For each repo, pull the relevant lockfile(s):
package-lock.json / pnpm-lock.yaml / yarn.lockuv.lock / poetry.lock / Pipfile.lock / requirements*.txtCargo.lockgo.sumGemfile.lockDelegate to Gemini 2.5 Pro. Build a single delegate_task call:
goal: |
Audit the following lockfiles for security advisories at severity ${SEVERITY_FLOOR} or higher.
Cross-reference against:
- https://osv.dev
- https://github.com/advisories
- https://security.snyk.io
For each finding, output JSON:
{ repo, ecosystem, package, current_version, vulnerable_ranges, advisory_id, severity, cvss, recommendation }
context:
- lockfile_dump: |
# repo1/package-lock.json
...
# repo2/uv.lock
...
toolsets: [web]
model: gemini-2.5-pro # 1M context
max_iterations: 30
Collate findings. Parse the JSON back. Dedupe by advisory_id across repos.
Open triage issues. For each finding at severity ≥ severity_floor:
github MCP if an issue with title [dep-audit] {advisory_id} already exists in the affected repo. Skip if so.npm update {package})security, dep-audit.Send a summary to the configured notification channel:
📊 Weekly dep-audit 2026-04-17
- 4 repos scanned (1247 packages)
- 3 new CRITICAL, 7 HIGH, 14 MEDIUM
- Opened 10 triage issues
→ https://github.com/issues?q=label:dep-audit+state:open
# ~/.hermes/cron.yaml
- name: weekly-dep-audit
schedule: "0 9 * * 1" # Mondays 9am
task: /weekly-dep-audit severity_floor=high
notify: telegram_private
Gemini 2.5 Pro at $1.25/$10 per MTok ingesting 1M of lockfiles ≈ $1.25 per run. Cheaper than GitHub Advanced Security for small orgs, and catches non-GitHub advisories too.