sentry
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFE
Full Analysis
- Data Exposure & Exfiltration (MEDIUM): The skill reads sensitive credentials from
~/.sentryclircvia thegetAuthToken()function inlib/auth.js. While this is necessary for the skill's primary purpose of Sentry integration, accessing raw credential files on the host system is a high-privilege operation. The severity is adjusted to MEDIUM as it aligns with the intended functionality. - Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted data from Sentry (error messages, log entries, and stack traces) and presents it to the agent without sanitization or boundary markers.
- Ingestion points: Data is fetched from Sentry API endpoints in
scripts/fetch-event.js,scripts/list-issues.js,scripts/search-events.js, andscripts/search-logs.jsusing thefetchJsonutility. - Boundary markers: Absent. The output is formatted into markdown or raw strings without delimiters or warnings to the agent to ignore instructions embedded in the logs.
- Capability inventory: The skill possesses network read capabilities (Sentry API) and file system read capabilities (
~/.sentryclirc). If the agent has broader capabilities (e.g., shell access), the injected instructions could trigger those tools. - Sanitization: None. The script directly prints
event.message,crumb.message, and logmessagefields, which are attacker-controlled strings.
Audit Metadata