dotagents
Warn
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
[[hooks]]configuration section allows defining shell commands that are automatically executed by the agent during various lifecycle events such asPreToolUseorPostToolUse(Evidence:references/config-schema.md). - [COMMAND_EXECUTION]: The
[[mcp]]section allows the declaration of Model Context Protocol servers that execute arbitrary commands and arguments using the stdio transport (Evidence:references/cli-reference.md). - [EXTERNAL_DOWNLOADS]: The
installandaddcommands facilitate the retrieval of external code and skill packages from GitHub and remote Git repositories (Evidence:SKILL.md,references/configuration.md). - [REMOTE_CODE_EXECUTION]: The documentation describes running the tool via
npx @sentry/dotagents, which involves fetching and executing code directly from the npm registry (Evidence:SKILL.md). - [DATA_EXFILTRATION]: MCP server declarations support the forwarding of environment variables and the inclusion of custom HTTP headers in requests to remote URLs, which could be leveraged to expose sensitive tokens or system information (Evidence:
references/cli-reference.md). - [PROMPT_INJECTION]: The skill's reliance on
agents.tomlfor command definitions creates an indirect injection surface; an attacker-controlled repository could provide a malicious configuration file that leads to arbitrary command execution when the user or agent runs a sync or install operation (Evidence:references/config-schema.md).
Audit Metadata