Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From sentinel
Analyzes installed package source code for supply chain risks by scanning for eval, network calls, env access, and obfuscation. Scores packages and reports issues with file:line context for JS, Python, Rust, Go ecosystems.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sentinel:package-riskThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Inspect an installed package's source code for behavioral signals that indicate supply chain risk. Scores the package and reports suspicious patterns with file:line context.
Inspect an installed package's source code for behavioral signals that indicate supply chain risk. Scores the package and reports suspicious patterns with file:line context.
Load each step through the fetch command (handles caching, decryption, and auth):
"~/.composure/bin/composure-fetch.mjs" skill sentinel package-risk {step-filename}
Do NOT read cache files directly — they are encrypted at rest. Always use the fetch command above.
| # | File |
|---|---|
| 1 | 01-locate-package.md |
| 2 | 02-behavior-scan.md |
| 3 | 03-score-and-report.md |
npx claudepluginhub hrconsultnj/claude-plugins --plugin sentinelEvaluates project dependencies for supply chain risks including single maintainers, unmaintained packages, low popularity, and high-risk features. Use for pre-audit scoping and attack surface assessment.
Triages npm packages for install-script malware, exfiltration, and worming behavior using GuardDog and manual tarball inspection. Useful for vetting dependencies before adding them or responding to supply-chain advisories.
Audits project dependencies for supply chain risks: single maintainers, unmaintained packages, low popularity, high-risk features, and past CVEs. Useful for security engagement scoping.