Package Supply Chain Sentinel

Vet dependency changes for supply-chain risk before you install, commit, or release.

Install
cmdop skills install agensi-package-supply-chain-sentinel

Supply Chain Security for Modern Dev Stacks

Package Supply Chain Sentinel is a specialized audit tool designed to catch malicious dependencies before they enter your codebase. It automates the tedious and error-prone process of reviewing lockfile diffs and package manifests for signs of typosquatting, hidden lifecycle scripts, and high-risk version shifts.

What it does

The skill performs a dual-layered analysis: an automated heuristic scan using local scripts and a manual-review simulation based on industry-standard audit checklists. It examines package.json, pyproject.toml, requirements.txt, and their respective lockfiles to identify anomalies that standard vulnerability scanners might miss.

  • Typosquatting Detection: Spots name-hijacking attempts (e.g., requesst vs requests).
  • Manifest Auditing: Flags suspicious preinstall or postinstall scripts that could execute arbitrary code.
  • Lockfile Integrity: Detects unexpected registry changes or hash mismatches in dependency diffs.
  • Evidence-Based Reporting: Provides a ranked list of findings (Critical to Info) with cited evidence and remediation snippets.

Supported Frameworks & Tools

The Sentinel works across major ecosystems, supporting npm, pnpm, yarn, pip, uv, and poetry. It is designed to be integrated into CI/CD pre-commit hooks or used during PR reviews to verify third-party code changes.

Why use this skill?

Standard security tools often focus on known CVEs. This skill focuses on intent and anomalies. Instead of just flagging an old version, it alerts you if a package suddenly starts running a shell script on install or if a lockfile is pointing to a non-standard registry. It saves developers hours of manual diff-checking while providing a higher level of assurance for sensitive production environments.