Get Started
← All tools

Security & Vuln Intel

OSV Lookup

Open-source vulnerability lookup.

osv_lookup
View on GitHub

Overview

Checks whether a specific open-source library has any known security problems — for npm (JavaScript), PyPI (Python), Maven (Java), or Go packages. Useful right before upgrading a dependency or auditing a project.

How it works

Queries the OSV.dev API with a package name, its ecosystem (npm, PyPI, Maven, Go), and optionally a specific version. Returns the list of matching vulnerabilities with their OSV IDs, affected version ranges, severity, and references. Passing a version narrows the result to issues that hit that exact build.

Example

When a user asks:

Does lodash 4.17.15 have any known vulnerabilities?

the agent calls the tool: 

osv_lookup(package="lodash", ecosystem="npm", version="4.17.15")

and gets back: a list of vulnerabilities with IDs, severity, and the version ranges affected.

Use it in a workflow

Wire this tool into a SwarmAI crew. Use the YAML DSL for declarative workflows, or the Java builder API when you want full programmatic control.

YAML DSL

# dependency-audit.yaml
name: dependency-audit-crew
process: SEQUENTIAL

agents:
  - id: auditor
    role: Dependency Auditor
    goal: Scan open-source libraries for known vulnerabilities
    tools:
      - osv_lookup

tasks:
  - id: dependency-audit-task
    agent: auditor
    description: Check whether lodash 4.17.15 on npm has any known vulnerabilities.

Java

import ai.intelliswarm.swarmai.agent.Agent;
import ai.intelliswarm.swarmai.task.Task;
import ai.intelliswarm.swarmai.swarm.Swarm;
import ai.intelliswarm.swarmai.swarm.SwarmOutput;
import ai.intelliswarm.swarmai.process.ProcessType;
import ai.intelliswarm.swarmai.tool.security.OSVLookupTool;
import org.springframework.ai.chat.client.ChatClient;
import org.springframework.beans.factory.annotation.Autowired;

@Autowired ChatClient chatClient;
@Autowired OSVLookupTool oSVLookupTool;

Agent auditor = Agent.builder()
    .role("Dependency Auditor")
    .goal("Scan open-source libraries for known vulnerabilities")
    .chatClient(chatClient)
    .tool(oSVLookupTool)
    .build();

Task auditorTask = Task.builder()
    .description("Check whether lodash 4.17.15 on npm has any known vulnerabilities.")
    .agent(auditor)
    .build();

SwarmOutput result = Swarm.builder()
    .agent(auditor)
    .task(auditorTask)
    .process(ProcessType.SEQUENTIAL)
    .build()
    .kickoff();

What it's good for

Real scenarios where agents put this tool to work.

SBOM / dependency scanning across Maven, npm, PyPI, Go
Supply-chain risk reports
Pre-upgrade vulnerability check for a specific version
Pairs with github_create_pr to auto-propose patched versions

Source

Implementation lives at swarmai-tools/src/main/java/ai/intelliswarm/swarmai/tool/security/OSVLookupTool.java in the swarm-ai repository.

Open osv_lookup on GitHub →

← Back to all tools