Inspect any dependency before you trust it.

Sentinel downloads and statically analyzes npm packages and public GitHub repos. It reads the code; it never executes it.

download-only/verdict in seconds/nothing runs server-side

sentinel@playground: ~/verifyread-only

Static analysis only. Targets are downloaded, read, and discarded; nothing executes.
Try:  verify npm lodash    verify github expressjs/express    or type "help"

examples:

Why this is safe to run

The serverless function imports a single entry point: verify(). The capabilities that touch your shell, your filesystem, or untrusted archives are never wired in. What you can reach is the whole attack surface.

verify · npm / githubDownload, then static analysis onlyreachable

installWould spawn npm / gitnever imported

local · skill · scan_directoryWould read the server filesystemexcluded

scan_archiveZip-bomb surfaceexcluded