Public audit · 2026-04-30

getsentry/sentry-mcp

Overall: F (20/100) · v0.3 scan · 6 axes · LLM prompt-injection probe

SkillAudit report — getsentry/sentry-mcp

Scanned 2026-04-30 by SkillAudit v0.3 (surface-tiered static checks + LLM-assisted prompt-injection red-team).

Commit: 6bd4a2e · Stars: 667 · Days since last push: 0

LLM prompt-injection probe: no-tool-surface

Overall grade: F (20/100)

Axis	Score	Grade
security	20/100	F	❌
permissions	100/100	A	✅
credentials	65/100	D	❌
maintenance	100/100	A	✅
compatibility	100/100	A	✅
docs	100/100	A	✅

Security findings

Production sources:

WARN packages/mcp-cloudflare/src/server/oauth/helpers.ts:341 — HTTP client call with user-controlled argument 'upstream_url' (validation markers present but not verified against this call-site)

const resp = await fetch(upstream_url, {

WARN packages/mcp-cloudflare/src/server/routes/chat-oauth.ts:120 — HTTP client call with user-controlled argument 'registrationUrl' (validation markers present but not verified against this call-site)

const response = await fetch(registrationUrl, {

WARN packages/mcp-cloudflare/src/server/routes/chat-oauth.ts:171 — HTTP client call with user-controlled argument 'tokenUrl' (validation markers present but not verified against this call-site)

const response = await fetch(tokenUrl, {

WARN packages/mcp-cloudflare/src/server/routes/chat.ts:58 — HTTP client call with user-controlled argument 'tokenUrl' (validation markers present but not verified against this call-site)

const response = await fetch(tokenUrl, {

HIGH packages/mcp-core/scripts/generate-otel-namespaces.ts:198 — Template-string URL with interpolation — no validation possible on composed string

const response = await fetch(

WARN packages/mcp-core/src/api-client/client.ts:299 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

response = await fetch(url, {

WARN packages/mcp-core/src/api-client/client.ts:272 — HTTP client call with user-controlled argument 'path' (validation markers present but not verified against this call-site)

private async request(

WARN packages/mcp-core/src/api-client/client.ts:494 — HTTP client call with user-controlled argument 'path' (validation markers present but not verified against this call-site)

const response = await this.request(path, options, requestOptions);

WARN packages/mcp-core/src/api-client/client.ts:2038 — HTTP client call with user-controlled argument 'downloadUrl' (validation markers present but not verified against this call-site)

const downloadResponse = await this.request(

WARN packages/mcp-core/src/internal/agents/azure-openai-provider.ts:88 — HTTP client call with user-controlled argument 'requestUrl' (validation markers present but not verified against this call-site)

return fetch(requestUrl.toString(), {

Test source (low-weight) — 3 total, deduct 5/0 per high/warn:

WARN packages/mcp-cloudflare/src/test-utils/fetch-mock-setup.test.ts:33 — HTTP client call with user-controlled argument 'createEventsUrl' (validation markers present but not verified against this call-site)

const validResponse = await fetch(

WARN packages/mcp-cloudflare/src/test-utils/fetch-mock-setup.test.ts:40 — HTTP client call with user-controlled argument 'createEventsUrl' (validation markers present but not verified against this call-site)

const invalidFieldsResponse = await fetch(

WARN packages/mcp-cloudflare/src/test-utils/fetch-mock-setup.test.ts:47 — HTTP client call with user-controlled argument 'createEventsUrl' (validation markers present but not verified against this call-site)

const invalidSortResponse = await fetch(

Permissions

_No findings on this axis._

Credentials

Production sources:

WARN packages/mcp-test-client/.env.test — .env file present in repo tree — verify it's a template, not real secrets

packages/mcp-test-client/.env.test

Examples / samples (low-weight) — 4 total, deduct 5/0 per high/warn:

HIGH .env.example:8 — Hardcoded OpenAI / Anthropic-style API key found in source

sk-*** (OpenAI / Anthropic-style API key, 22 chars)

HIGH packages/mcp-cloudflare/.env.example:19 — Hardcoded OpenAI / Anthropic-style API key found in source

sk-*** (OpenAI / Anthropic-style API key, 21 chars)

WARN .env.example — .env file present in repo tree — verify it's a template, not real secrets

.env.example

WARN packages/mcp-cloudflare/.env.example — .env file present in repo tree — verify it's a template, not real secrets

packages/mcp-cloudflare/.env.example

Test source (low-weight) — 3 total, deduct 5/0 per high/warn:

HIGH packages/mcp-core/src/telem/sentry.test.ts:10 — Hardcoded OpenAI / Anthropic-style API key found in source

sk-*** (OpenAI / Anthropic-style API key, 51 chars)

HIGH packages/mcp-core/src/telem/sentry.test.ts:20 — Hardcoded OpenAI / Anthropic-style API key found in source

sk-*** (OpenAI / Anthropic-style API key, 51 chars)

HIGH packages/mcp-core/src/telem/sentry.test.ts:20 — Hardcoded OpenAI / Anthropic-style API key found in source

sk-*** (OpenAI / Anthropic-style API key, 51 chars)

Maintenance

_No findings on this axis._

Compatibility

_No findings on this axis._

Documentation

_No findings on this axis._

Methodology

SkillAudit v0.3 clones the repo at the provided ref (default: default branch, HEAD) into an ephemeral sandbox, runs six static checks over .js/.ts/.py sources, queries the GitHub API for maintenance signals, and runs an LLM-assisted prompt-injection red-team over the MCP tool surface. Each axis is scored against the published rubric — surface tiers, per-(axis, surface) caps, grade buckets, and worked examples are all documented there.

The v0.3 calibration update introduces surface tiering: every finding is tagged with the code path it lives in (production / installer / examples / benchmarks / scripts / test). Production findings deduct at full weight (-30 high, -10 warn); installer findings deduct at half (-15 / -5); examples, benchmarks, top-level scripts, and tests deduct at low weight (-5 / 0). This stops a chatty benchmarks/ or samples/ directory from dominating an otherwise-clean MCP server's grade.

The prompt-injection axis extracts each server.tool(...) / @app.tool registration + the first ~60 lines of handler body, hands them to Claude Haiku 4.5 with a red-team system prompt, and asks for structured findings on untrusted-content flow into tool responses. One API call per scan, bounded at ~15K input tokens.

How to improve this grade

Security — static: validate tool-input URLs against an allowlist before fetch/axios calls; use execFile with argv arrays instead of exec with template strings; never pass untrusted strings to subprocess with shell=True.
Security — prompt injection: never return fetched web-page / file / email content verbatim in a tool response. Wrap with a framing marker (e.g., <untrusted-content>...</untrusted-content>), summarize rather than inline, and never let untrusted content share a turn with credentials or other tool output.
Credentials findings: redact env-var reads before log lines and error messages; treat any string that ends up in a tool response as public.
Maintenance: if the repo is inactive, document the maintenance model — "MCP tool, no breaking changes expected" is a legitimate signal.
Docs: add a README install + usage section with a copy-pasteable command; add a SECURITY.md with a disclosure channel.

_Report generated by skillaudit.dev_

Want your repo audited?

First 100 audits go to waitlist signups in order. The engine runs against public GitHub URLs today.

Join the waitlist →