The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill instructs the agent to programmatically read the ~/.sentryclirc configuration file to extract an authentication token.\n
Evidence: TOKEN=$(rg '^token=' ~/.sentryclirc | head -n1 | cut -d'=' -f2-) in SKILL.md.\n
Risk: Programmatic extraction of plaintext credentials from local configuration files is a high-risk behavior that exposes secrets to the AI agent context, where they could be leaked or misused.\n- [DATA_EXFILTRATION] (LOW): The skill performs network requests to a non-whitelisted domain (sentry.io) using the extracted credentials.\n
Evidence: curl -sS -H "Authorization: Bearer $TOKEN" "https://sentry.io/api/0/issues/<issue_id>/".\n
Note: While the destination is the legitimate Sentry service, it is not on the trusted domain list for network operations. The hardcoded destination mitigates the risk of arbitrary exfiltration.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) through external data fetched from Sentry.\n
Ingestion points: Data enters the context via curl responses from the Sentry API (e.g., issue titles, exception messages, and stacktraces).\n
Boundary markers: Absent. The instructions do not provide delimiters or warnings for the agent to ignore instructions embedded within the Sentry issue data.\n
Capability inventory: Shell command execution via curl, sentry-cli, and rg in SKILL.md.\n
Sanitization: Absent. Untrusted data from the Sentry API is directly processed and included in reports without validation or escaping.\n- [COMMAND_EXECUTION] (SAFE): The skill utilizes standard command-line tools for its primary purpose.\n
Evidence: Calls to sentry-cli info and sentry-cli organizations list.\n
Note: These are expected operations for a Sentry integration tool and do not represent abnormal behavior beyond the credential handling risks.

sentry-issue