oma-deepsec

Solid

Drive Vercel's `deepsec` agent-powered vulnerability scanner end-to-end: installing the `.deepsec/` workspace, bootstrapping `INFO.md`, running cost-aware `scan` / `process` / `triage` / `revalidate` / `export` passes, gating PRs with `process --diff`, writing custom matchers, and triaging findings. Use whenever the user mentions deepsec, asks an agent to scan a repo for vulnerabilities, runs into `pnpm deepsec` / `bunx deepsec` commands, wants a CI-based PR security review, sees a `.deepsec/` directory, or asks about `INFO.md` / matchers / `process --diff` / `revalidate`, even when the tool name is not spoken. Deepsec scans are expensive (a single full scan can cost hundreds to tens of thousands of dollars) so the skill exists in part to keep the user from getting surprised.

Code & Development 1,081 stars 126 forks Updated today MIT

Install

View on GitHub

Quality Score: 93/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Deepsec: Agent-Powered Vulnerability Scanner Driver ## Scheduling ### Goal Operate Vercel's `deepsec` security scanner inside a target repository safely and cost-consciously: bootstrap the `.deepsec/` workspace, write a tight `INFO.md`, run the right scan/process/triage/revalidate/export sequence, gate PRs in CI via `process --diff`, and grow project-specific matchers, surfacing real, revalidated findings without runaway spend. ### Intent signature - User mentions `deepsec`, "deep security scan", `bunx deepsec`, `pnpm deepsec`, `npx deepsec`. - User asks an agent to scan a repository for vulnerabilities, security issues, or CVEs and the project has (or should have) a `.deepsec/` directory. - User asks how to add a deepsec PR / CI security gate, or about `process --diff`, `--diff-staged`, `--diff-working`, `--files-from`, `--comment-out`. - User mentions deepsec artefacts: `INFO.md`, `SETUP.md`, `data/<id>/files/`, `FileRecord`, `RunMeta`, `revalidation`, `triage`, custom matchers, `MatcherPlugin`, `noiseTier`, `priorityPaths`. - User asks about deepsec configuration: `deepsec.config.ts`, `defaultAgent`, `AI_GATEWAY_API_KEY`, `VERCEL_OIDC_TOKEN`, AI Gateway, Vercel Sandbox, `--agent codex`, `--agent claude`. - User asks how to lower deepsec cost, cut false-positive rate, or interpret severity / triage / revalidation verdicts. ### When to use - First-time deepsec install in a repo (`init`, `INFO.md` write, first calibration scan). - Running a full or scoped scan and proce...

Details

Author
first-fluke
Repository
first-fluke/oh-my-agent
Created
4 months ago
Last Updated
today
Language
TypeScript
License
MIT

Integrates with

Vercel · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

deepsec-integration

Run Vercel's DeepSec security scanner against any Walter-OS-tracked repo ([Project A], [Project B], [Company], hackathons). DeepSec uses thinking-level models to surface hard-to-find vulns that pattern matchers miss. SPENDS MONEY ($100s-$thousands per scan). Operator-invoked only, with explicit budget cap and confirmation. Triggered by user requests like "run deepsec on [project-a]", "scan [company] for vulnerabilities", "deep security audit of <repo>".

5 Updated today
Xipher-Labs
AI & Automation Listed

agent-security-scan

Use for report-only static scans of settings, hooks, skills, Model Context Protocol config, credential surfaces, remote fetches, shell side effects, and broad exposure risks. Do not print raw secrets or apply automatic fixes.

13 Updated 3 days ago
AidALL
AI & Automation Listed

devpilot-scanning-repos

Use when the user asks to scan, audit, or sweep an entire GitHub repository for issues and file them as tickets — "scan this repo", "audit the codebase", "find bugs/security holes/missing tests", "check the docs are still accurate", "/repo-scan", "open issues for all the problems you find". Scans security, edge cases, testing coverage, and doc/code drift (CLAUDE.md, AGENTS.md, README.md and the docs they link to) without assuming business logic. Do NOT use for reviewing a single PR (use devpilot-pr-review) or language-specific style review (use devpilot-google-go-style).

4 Updated yesterday
SiyuQian