Skip to main content
The @osv tool checks the project’s pinned dependencies against the public OSV.dev database — keyless, no API key and no external CLI. Inspired by hermes-agent’s osv_check, implemented natively in Go.

Subcommands

<tool_call name="@osv" args='{"cmd":"scan","args":{"path":"go.mod"}}' />
<tool_call name="@osv" args='{"cmd":"check","args":{"ecosystem":"PyPI","package":"requests","version":"2.19.0"}}' />

scan {path}

Reads a manifest (or a directory containing one) and checks every pinned dependency:
EcosystemManifest
Gogo.mod
PyPIrequirements.txt (== pins)
npmpackage-lock.json (v1 and v2+)
crates.ioCargo.lock
path defaults to the current directory; a directory is resolved to the first supported manifest found.

check {ecosystem, package, version}

Checks a single dependency. Ecosystems: Go | PyPI | npm | crates.io | Maven | RubyGems | NuGet | Packagist.

Output

For each vulnerable dependency it lists the advisory ID, aliases (CVE/GHSA), severity (CVSS) and a summary: 
@osv scan of go.mod — 42 dependencies checked

⚠️  1 vulnerable dependenc(ies):

• github.com/evil/pkg@v1.0.0 (Go)
    GHSA-xxxx (CVE-2020-0001) [CVSS_V3:9.8] — vulnerability description
When nothing is found: ✅ No known vulnerabilities found.

Notes

  • It is read-only and concurrency-safe — the orchestrator can fan out multiple @osv calls in parallel.
  • Transient network failures on individual deps are skipped without aborting the whole scan.
  • Being keyless and HTTP-based, it works on any OS.
Combine with the Scheduler for a periodic scan and @send to notify you when a new CVE appears in your dependencies.