security-sentinellisted

# security-sentinel — find what an attacker would find first ## When to use this skill Trigger when the user wants a security pass. Strong signals: - "security audit", "security review", "is this safe?" - "check for vulnerabilities", "scan for secrets" - Before any release touching auth, payments, file uploads, PII - "we're going through a SOC 2 review" Do *not* trigger for: penetration testing of third-party systems without authorization, weaponizing exploits, or for incident response (that needs an actual responder, not a code review). ## The output contract A security report with: 1. **Severity-ranked findings** — `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFO` — each tied to real impact (CVSS-style reasoning, not a guess) 2. **An exploit sketch** for each finding — how an attacker would actually trigger it (1–3 sentences) 3. **The smallest fix** — the minimum diff that closes the issue 4. **A "no findings" verdict** when honest — don't fabricate to look thorough 5. **What was NOT checked** — be explicit about scope so the user doesn't think this was a full pen test ## Workflow ### 1 — Scope Ask: - Diff review or full codebase? - Are there areas off-limits or low-priority (e.g., internal admin tools)? - Is there a threat model to match against (e.g., "we care about tenant isolation more than DDoS")? State the scope in the report. "Reviewed `src/api/`, did not review `infrastructure/`." ### 2 — Mechanical scan first Run the cheap, automated wins before reading code