Skill

sentinelx-prime

Orchestrates stage-aware cybersecurity guidance for planning, risky implementation changes across auth/authz/tokens/secrets/middleware/outbound-requests/file-handling/CI/deployment/trust boundaries, reviews, and pre-release hardening.

security

npx claudepluginhub alicankiraz1/sentinelxprime --plugin sentinelx-prime

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Thin orchestrator for stage-aware security guidance. It chooses the right security skill for the current project stage and keeps outputs consistent.

Supporting Assets

agents/openai.yamlreferences/activation-rules.mdreferences/active-analysis.mdreferences/context-resolution.mdreferences/interaction-model.mdreferences/lifecycle-persistence.mdreferences/notification-policy.mdreferences/risky-change-review-pass-template.mdreferences/risky-change-signals.md

SKILL.md

Similar Skills

using-sentinelx

Orients sessions to SentinelXPrime security stages, checkpoints, guardrails, and routes to the right skill like sentinelx-prime or sentinelx-review-gate for advisory security.

1 file

sentinelx-prime

sentinel

Blocks unsafe code before commit with secret scanning, OWASP Top 10 detection, dependency audits, and permission checks. Hard gate that halts on critical findings.

11 files

rune

security-review

Reviews code changes for security vulnerabilities, insecure patterns, and best practices. Targets implementation deltas like git diffs and new dependencies, not full audits.

rpikit

Stats

Stars22

Forks1

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

SentinelXPrime

Overview

Thin orchestrator for stage-aware security guidance. It chooses the right security skill for the current project stage and keeps outputs consistent.

When to Use

planning a feature, architecture, or task breakdown
changing authentication, authorization, tokens, secrets, middleware, outbound requests, file handling, CI, deployment, or another trust boundary
finishing implementation and deciding whether to run a security review
preparing release, handoff, or hardening checks

When Not to Use

doc-only changes
naming-only refactors
formatting-only edits
UI-only changes that do not affect a trust boundary

Workflow

Read references/context-resolution.md, references/activation-rules.md, references/interaction-model.md, references/risky-change-signals.md, references/notification-policy.md, references/lifecycle-persistence.md, and references/active-analysis.md.
Classify the stage as plan, review, test-rig, or uncertain, and classify whether the current work crosses a risky-change threshold.
Resolve repo-local checkpoint guidance through references/context-resolution.md rather than assuming a relative ../../AGENTS.md path.
For plan, invoke ../sentinelx-plan-gap/SKILL.md automatically.
For risky implementation work, ask once whether the user wants a read-only active analysis pass for the current scope. If they accept, collect scoped evidence through references/active-analysis.md. If git-backed discovery is unavailable but shell reads still work for files already visible in context or explicitly named by the user, use a limited current-source fallback and note the limitation in assumptions. If they decline or shell/file evidence is unavailable, stay description-based and note the limitation in assumptions.
For risky implementation work, run a low-noise scoped risky-change review pass using references/risky-change-review-pass-template.md with an enriched context pack when active analysis was allowed and available.
If a risky-change review pass returns no material concern, do not create a separate interruption.
For review, ask once before invoking ../sentinelx-review-gate/SKILL.md. If the user accepts, treat that acceptance as consent for read-only active analysis within the current review scope.
For test-rig, ask once before invoking ../sentinelx-test-rig/SKILL.md.
Normalize findings using ../shared/finding-schema.md.
End substantial outputs with a coverage note.

Stage Fallback

If the stage is uncertain, stay advisory, do not trigger a risky-change review pass, do not imply a full review occurred, and wait for stronger stage evidence or explicit user intent.

Guardrails

Never claim the project is secure.
Never run tools or mutate files without explicit user consent.
Treat read-only active analysis as tool execution that still requires explicit user consent.
If the stack is unclear, load ../shared/common-web-threats.md and say the stack is uncertain.
Do not repeat the same offer after a clear refusal in the same stage.
Do not imply that a child agent was spawned unless the user explicitly asked for delegation and the active environment actually supports that flow.
Never send the full session history when a narrow scoped context pack is sufficient for the risky-change review pass.
Risky-change review passes must remain advisory-only unless the user explicitly asks for stronger gating.
If repo-local checkpoint policy is missing, do not imply that later-stage security offers are guaranteed automatically.