observability
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through external error data.\n
- Ingestion points: Error data is ingested from Sentry via API calls (using curl in references/ai-agent-integration.md) or via an MCP server as described in SKILL.md.\n
- Boundary markers: The skill lacks delimiters or warnings to ignore embedded instructions when piping error context to the LLM (e.g., in the command
cat issue.json | claude --print "Analyze this...").\n - Capability inventory: The agent is encouraged to analyze errors and "propose fixes," which implies capabilities like file system modifications and Git/PR operations.\n
- Sanitization: Although PII scrubbing is implemented for data privacy, there is no sanitization to prevent the LLM from following malicious instructions contained within captured error messages.\n- [COMMAND_EXECUTION]: The skill executes shell scripts from a hardcoded path related to a dependency skill.\n
- Evidence: It calls scripts located in
~/.claude/skills/sentry-observability/scripts/, includingdetect_sentry.sh,init_sentry.sh, andverify_setup.sh.\n- [EXTERNAL_DOWNLOADS]: The skill usesnpxandcurlto interact with well-known and trusted technology services.\n - Evidence: Utilizes
npxto execute@anthropic/sentry-mcp,@modelcontextprotocol/server-sentry, and@sentry/wizard. It also usescurlto fetch issue details from Sentry's official API.
Audit Metadata