Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sentry Cli
v1.0.1Sentry.io error monitoring via sentry-cli. Use when working with Sentry releases, source maps, dSYMs, events, or issue management. Covers authentication, release workflows, deploy tracking, and debug file uploads.
⭐ 0· 1.7k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description align with the SKILL.md: everything is about sentry-cli release management, sourcemaps, dSYMs, events, and CI integration. The commands and examples are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run sentry-cli commands that legitimately operate on releases, source maps, debug artifacts, and optionally local files (e.g., /var/log/app.log, Xcode DerivedData paths). These file references are expected for this domain but mean the agent may be instructed to read and upload local artifacts or logs — verify you are comfortable with that level of file access.
Install Mechanism
The skill has no formal install spec in registry (instruction-only) but the README suggests installing via brew, npm, or a direct download using curl -sL https://sentry.io/get-cli/ | bash. brew/npm are standard, but the curl|bash pattern is higher-risk (pipe-to-shell). The URL is an official sentry.io domain, which reduces suspicion, but a user should prefer vetted package installs or inspect the downloaded script before executing.
Credentials
Registry metadata declares no required env vars or primary credential, yet SKILL.md repeatedly references sensitive environment variables and config (.sentryclirc, SENTRY_AUTH_TOKEN, SENTRY_ORG, SENTRY_PROJECT). This is a mismatch: the skill will rely on sensitive tokens and org/project settings even though none are declared. Requesting SENTRY_AUTH_TOKEN is expected for sentry-cli, but the lack of declared required credentials and the skill's unknown source makes it important to check token scope and storage location before use.
Persistence & Privilege
The skill does not request always:true, has no install that writes persistent system-wide configuration beyond normal sentry-cli usage (it suggests storing tokens in .sentryclirc). It does not modify other skills or agent-wide settings in the provided instructions.
What to consider before installing
This SKILL.md is a legitimate how-to for sentry-cli, but take these precautions before installing or using it: 1) The skill metadata lists no source or homepage — verify the publisher before trusting it. 2) The instructions use sensitive values (SENTRY_AUTH_TOKEN, SENTRY_ORG, SENTRY_PROJECT) even though the registry did not declare required credentials — only provide a token with the minimum scope needed (prefer a CI-specific token), and avoid placing high-privilege tokens in global env. 3) Prefer installing sentry-cli via your platform's package manager (brew or npm) rather than blindly running curl | bash; if you must use the installer script, inspect it first. 4) Be aware the commands may read and upload local artifacts or logs (dSYMs, /var/log/app.log, build artifacts) — review what will be uploaded. 5) If you allow autonomous agent invocation, restrict when the skill can run and monitor token usage. If you want, request the skill author to declare required env vars and provide a verifiable homepage/source before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk979qywgj524ma874tn518mq7580jj3b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.