The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill demonstrates a significant attack surface for indirect prompt injection via external data sources.
Ingestion points: The skill uses sentry_get_issue, sentry_get_event, and sentry_get_trace to pull data into the agent's context. This data includes exception messages, breadcrumbs, and request data, all of which can be influenced by external users/attackers of the monitored application.
Boundary markers: There are no instructions or delimiters defined to separate untrusted Sentry data from the agent's system instructions.
Capability inventory: The skill allows the agent to read local files, check git logs, implement code fixes (write access), and add/run tests (execution access).
Sanitization: No sanitization or validation of the ingested Sentry data is performed before it is used to guide 'Root Cause Hypothesis' or 'Implement Fix' phases.
Risk: An attacker could trigger a specific error in a production system containing a payload that instructs the agent to introduce a backdoor or exfiltrate environment variables during the 'Phase 5: Implement Fix' step.
Command Execution (MEDIUM): While the skill uses MCP tools for Sentry access, Phase 4 and Phase 5 encourage the agent to perform file system operations ('Read every file', 'Apply the fix', 'Add tests'). This grants the agent broad authority to modify the local environment based on instructions derived from untrusted external telemetry.

sentry-fix-issues