// Audit dependencies across configured repos for security advisories, open triage issues
Delegate a PR review to Claude Code with a scoped read-only GitHub PAT
Weekly LLM cost breakdown by provider / gateway / skill, posted to private DM
Classify inbound Telegram DMs, autoreply low-stakes, escalate high-stakes to you
Classify incoming messages from public channels as spam / prompt-injection-attempt / genuine; quarantine risky ones
Prepare a 1-page brief for an upcoming meeting by combining calendar context, recent threads with attendees, and relevant docs
Sweep inbox (email + Slack + Telegram DMs) and produce a prioritized action list with suggested replies
| name | weekly-dep-audit |
| description | Audit dependencies across configured repos for security advisories, open triage issues |
| when_to_use | ["Scheduled weekly","After a viral CVE disclosure","Before a production release"] |
| toolsets | ["delegate_task","github"] |
| parameters | {"repos":{"type":"array","description":"List of owner/repo entries to audit. Defaults to all repos with a `hermes-audit` topic.","default":[]},"severity_floor":{"type":"string","enum":["low","medium","high","critical"],"default":"high"}} |
Uses Gemini 3.1 Pro's 1M context to ingest entire lockfiles + advisory databases and report actionable findings.
Resolve repos. If repos: is empty, query GitHub for repos the calling user owns with the hermes-audit topic (via github MCP). Otherwise use the provided list.
For each repo, pull the relevant lockfile(s):
package-lock.json / pnpm-lock.yaml / yarn.lockuv.lock / poetry.lock / Pipfile.lock / requirements*.txtCargo.lockgo.sumGemfile.lockDelegate to Gemini 3.1 Pro. Build a single delegate_task call:
goal: |
Audit the following lockfiles for security advisories at severity ${SEVERITY_FLOOR} or higher.
Cross-reference against:
- https://osv.dev
- https://github.com/advisories
- https://security.snyk.io
For each finding, output JSON:
{ repo, ecosystem, package, current_version, vulnerable_ranges, advisory_id, severity, cvss, recommendation }
context:
- lockfile_dump: |
# repo1/package-lock.json
...
# repo2/uv.lock
...
toolsets: [web]
model: gemini-3.1-pro # 1M context
max_iterations: 30
Collate findings. Parse the JSON back. Dedupe by advisory_id across repos.
Open triage issues. For each finding at severity ≥ severity_floor:
github MCP if an issue with title [dep-audit] {advisory_id} already exists in the affected repo. Skip if so.npm update {package})security, dep-audit.Send a summary to the configured notification channel:
📊 Weekly dep-audit 2026-04-17
- 4 repos scanned (1247 packages)
- 3 new CRITICAL, 7 HIGH, 14 MEDIUM
- Opened 10 triage issues
→ https://github.com/issues?q=label:dep-audit+state:open
# ~/.hermes/cron.yaml
- name: weekly-dep-audit
schedule: "0 9 * * 1" # Mondays 9am
task: /weekly-dep-audit severity_floor=high
notify: telegram_private
Gemini 3.1 Pro at $1.50/$12 per MTok ingesting 1M of lockfiles ≈ $1.50 per run. Cheaper than GitHub Advanced Security for small orgs, and catches non-GitHub advisories too.