instrument-repo

The instrument-repo tool appears designed for legitimate production observability onboarding across multiple stacks. Its capabilities are broadly coherent with the stated purpose (detect stack, install SDKs, write configs, open PRs). However, it introduces notable security considerations around credential handling (SENTRY_AUTH_TOKEN, HELICONE_API_KEY, SENTRY_DSN, PostHog keys), data flows to external observability endpoints, and potential broad instrumentation across repos without explicit per-repo confirmation. The combination of credential exposure risk, external network traffic for telemetry, and automated code/config changes warrants a cautious approach with strict secret management, access controls, and explicit user consent checks. Overall securityRisk: 0.62, malware: 0.12, obfuscated: 0.05, confidence: 0.62 }