sentry-issue-resolver
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection via untrusted Sentry data ingestion. * Ingestion points: Sentry API responses (SKILL.md steps 3 and 4) containing untrusted error messages, stack traces, and context tags. * Boundary markers: Absent. No delimiters or instructions to ignore embedded commands are used when processing external JSON data. * Capability inventory: curl network access, access to SENTRY_AUTH_TOKEN, and the ability to generate code/solutions. * Sanitization: Absent. The agent is directed to perform deep root cause analysis on the raw external content.
- [CREDENTIALS_UNSAFE] (HIGH): Exposure of sensitive environment variables. * Evidence: The skill requires SENTRY_AUTH_TOKEN and provides a command (echo $SENTRY_AUTH_TOKEN) that exposes the secret to the shell output and history.
- [COMMAND_EXECUTION] (MEDIUM): Execution of system commands based on parsed external input. * Evidence: The skill constructs curl commands using values parsed from a user-provided Sentry URL (org slug and issue ID). * Risk: Potential for command parameter manipulation if the agent incorrectly parses a malicious URL or if an attacker provides a crafted slug.
Recommendations
- AI detected serious security threats
Audit Metadata