SinkSINK Project

Product Overview

What Sink is, what problems it solves, core concepts, and typical use cases

Sink Product Overview

What is Sink?

SecFlow is an AI-powered security testing platform that automates penetration testing, code audits, and security validation by letting AI agents (such as Claude Code, Codex, Goose, etc.) interact with your systems.

Core features:

  • Web UI + CLI: Interact through a browser or automate via command line
  • Multi-Agent support: Not locked to a single AI provider; connect Claude Code, Codex, Factory Droid, and more via the standard ACP protocol (Agent Client Protocol)
  • Real-time collaboration: Watch every step of the Agent’s reasoning, tool calls, and decisions; approve or terminate at any time
  • Workspace isolation: Each project is an independent workspace with its own configuration, skills library, and execution history

What Problems Does It Solve?

Many knowledge-intensive workflows remain heavily manual. Sink combines AI Agent reasoning with execution capabilities:

  1. Quick task definition: Describe what you want to accomplish in one sentence; the AI Agent automatically breaks it down into concrete steps
  2. Transparent execution: Not a black box — see in real time how the Agent thinks, which tools it calls, and what decisions it makes
  3. Human-in-the-loop: When the Agent needs to perform sensitive operations (like modifying files or executing commands), it must go through your approval
  4. Cross-project reuse: Save common workflows, experience, and techniques as “Skills” (the Agent’s capability library) and share them across projects

Core Concepts

Task (任务)

A Task is a single AI Agent execution session. You describe a goal or problem, and the Agent starts a Task to accomplish it.

Each Task contains:

  • Goal description: Your instructions to the Agent
  • Execution status: What the Agent is currently doing (analyzing, awaiting approval, completed, etc.)
  • Session history: Interaction records between user and Agent
  • Tool calls: Concrete operations the Agent has executed (code execution, file operations, etc.)

Profile (Agent Persona)

A Profile defines an AI Agent’s “persona” and “capabilities” on your platform. It includes:

  • System Prompt: Tells the Agent what it is, how it should think and act
  • Runtime: How to launch this Agent process (which AI service, what parameters)
  • Skills: Which capabilities and tool libraries this Agent has access to
  • MCP configuration: Which external tools and data sources this Agent can call

A Profile is like a “role template.” You can create different Profiles for different task scenarios — for example, a “Code Reviewer” Profile focused on code quality analysis, or a “DevOps Engineer” Profile focused on infrastructure and deployment workflows.

Runtime (运行时)

A Runtime defines how to launch an AI Agent process. It includes:

  • Agent type: Claude Code, Codex, Factory Droid, or OpenCode
  • Launch command: What command to run to start the Agent
  • Environment variables and parameters: Configuration passed to the Agent process

Multiple Profiles can share the same Runtime but use different System Prompts to change the Agent’s behavior.

Skill (能力)

A Skill is a specific capability or tool library that an AI Agent can use. Each Skill contains:

  • Documentation: Tells the Agent what this Skill is and how to use it
  • Reference materials: Technical details and option documentation for the Skill
  • Custom tools (optional): A Skill can define MCP tools for the Agent to call

You can:

  • Use Sink’s built-in Skills (such as code execution, file operations, etc.)
  • Download community Skills from the skills library
  • Write your own Skills for specific projects or teams

MCP Server (工具集)

MCP (Model Context Protocol) is an open standard that allows AI Agents to call external tools and access data. Sink can connect to any MCP-compatible tool:

  • Code tools: Language servers, compilers, code analysis tools
  • System tools: Shell commands, file operations, process management
  • API tools: Database queries, network requests, third-party service calls
  • Custom tools: Tools you write yourself

Workspace (工作区)

A Workspace is a project directory. It contains:

  • Project code and files
  • Sink local configuration: Which Profiles, Skills, and MCP Servers this workspace uses
  • Execution history: All Tasks executed in this workspace and their results

Multiple workspaces can share user-level configuration (such as Agent Runtimes and common Skills), but each workspace has independent Profile definitions, local Skills, and execution history.

Gateway (网关)

Gateway is Sink’s service process. It:

  • Provides the web UI and REST API
  • Manages user identity and permissions
  • Coordinates Agent execution across multiple workspaces
  • Handles real-time Task state pushing (using Server-Sent Events)

Basic Workflow

1. Initialize the Platform

sink init

Run this command on first use. It will:

  • Detect locally installed Agent Runtimes (Claude Code, Codex, Factory Droid, OpenCode)
  • Interactively configure the default Profile (name, model, system prompt)
  • Create configuration files (settings.json, gateway.json, runtimes.json, mcp.json, default Profile)

2. Start the Gateway Service

sink gateway start

Starts the Gateway process and opens the web interface (usually at http://localhost:5000). You can now begin creating Tasks.

3. Create a Task

On the web UI or via CLI, describe your objective. For example:

“Review the authentication module in this Node.js application for correctness, error handling, and adherence to best practices.”

Sink will:

  • Select an appropriate Profile based on your workspace configuration (e.g., “Code Reviewer”)
  • Launch the corresponding Agent
  • Send your description to the Agent as the initial instruction

4. Monitor in Real Time

The web UI displays in real time:

  • Agent’s reasoning process: What the Agent is currently doing and thinking
  • Pending approvals: When the Agent wants to perform a sensitive operation, the UI displays an approval dialog
  • Tool call history: Which commands, file operations, etc. the Agent has executed

You can:

  • Continue the conversation: Enter new instructions, ask questions, or provide reminders
  • Approve/Deny: Make decisions on sensitive operations
  • Stop the task: Abort at any time if something seems wrong

5. View Results

When a Task completes, the web UI displays:

  • Execution summary: What the Agent did and what it found
  • Detailed report: Specific results including code, logs, screenshots, etc.
  • Download: Export reports or intermediate artifacts

Typical Use Cases

Scenario 1: Automated Code Review

Task: Regularly review newly committed code for correctness, maintainability, and adherence to coding standards.

  1. Create a “Code Reviewer” Profile with code reading and static analysis Skills configured
  2. Create a Task instructing the Agent to review the src/ directory
  3. The Agent will automatically:
    • Read code files
    • Run linters, type checkers, and test suites
    • Identify potential issues and anti-patterns
    • Point out specific line numbers and suggest fixes
  4. You approve the Agent’s suggestions and generate a review report

Scenario 2: Project Workflow Automation

Task: After setting up a new service, verify its configuration, tests, and deployment readiness.

  1. Create a “DevOps Engineer” Profile with filesystem and command execution Skills configured
  2. Create a Task instructing the Agent to verify service setup and deployment readiness
  3. The Agent will:
    • Check configuration files and environment settings
    • Run tests and check for common configuration errors
    • Validate deployment manifests and CI/CD pipelines
    • Generate a readiness report with actionable recommendations
  4. You approve high-risk operations and collect the verification report

Scenario 4: Repetitive Tasks

Task: Run the same checklist before every release.

  1. Save common verification workflows as a Skill
  2. Create a parameterized Profile referencing this Skill
  3. Each release, just create a Task and pass parameters (e.g., which modules to check)
  4. The Agent automatically executes the standardized workflow and generates comparable reports

Next Steps

Quick Start

Initialize Sink and run your first AI task