sentry-setup-metrics

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This skill is consistent with its stated purpose: it documents how to enable and instrument Sentry custom metrics in JS/TS and Python projects. It asks for expected inputs (project manifests, DSN) and recommends legitimate SDK packages and configuration. There are no signs of credential harvesting, obfuscated code, unknown third-party proxies, or malicious behaviors. The primary risk is operational: developers may accidentally include sensitive or high-cardinality attributes in metrics; the skill properly warns about that and gives filtering examples. Overall, the skill appears benign and appropriate for its purpose. LLM verification: This is an instructional skill that documents how to enable and use official Sentry metrics in supported runtimes. There is no evidence of malicious code or obfuscated payloads. Primary security concerns are operational: avoid hardcoding DSNs, do not send PII/secrets as metric attributes (use beforeSendMetric to scrub), and prefer pinned/package-version controls rather than unpinned 'latest' installs to reduce supply-chain risk. The content is safe to follow if practitioners apply standard secur