sentry-security

Sentry-specific security review based on real vulnerability history. Use when reviewing Sentry endpoints, serializers, or views for security issues. Trigger keywords: "sentry security review", "check for IDOR", "access control review", "org scoping", "cross-org", "security audit endpoint".

Quality

83%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a strong, domain-specific security review skill that encodes real vulnerability patterns from Sentry's history into a structured, actionable workflow. Its greatest strengths are the concrete code patterns, the rigorous multi-layer enforcement tracing, and the calibrated confidence system that prevents false positives. The main weakness is that the referenced bundle files are missing, making it impossible to verify the progressive disclosure structure, and the main file could be slightly more concise by pushing detailed check content into those references.

Suggestions

Provide the referenced bundle files (endpoint-patterns.md, serializer-patterns.md, enforcement-layers.md, etc.) so the progressive disclosure structure actually functions and detailed check patterns can be offloaded from the main SKILL.md.

Consider moving the detailed descriptions of Checks 1-6 into their respective reference files, keeping only a summary table with red-flag signatures in the main SKILL.md to improve conciseness.

Dimension	Reasoning	Score
Conciseness	The skill is mostly efficient and domain-specific, avoiding generic OWASP theory as promised. However, some sections are slightly verbose — e.g., the confidence table and some check descriptions could be tightened. The repeated emphasis on 'do not report LOW' appears multiple times in slightly different forms.	2 / 3
Actionability	Highly actionable with concrete trace flows, specific red-flag code patterns (e.g., `Model.objects.get(id=request.data["something_id"])` without org scope), safe pattern examples, a 7-layer enforcement checklist, and a complete output template with fix code requirements. The guidance is specific to Sentry's codebase and directly executable.	3 / 3
Workflow Clarity	The 4-step workflow is clearly sequenced (Classify → Check → Trace → Report) with explicit validation checkpoints. Step 3 is a thorough verification/feedback loop requiring tracing through all 7 enforcement layers before confirming a finding. The confidence downgrade from HIGH to MEDIUM when unable to fully confirm acts as a built-in safety checkpoint.	3 / 3
Progressive Disclosure	The skill references 5 specific reference files (e.g., `references/endpoint-patterns.md`, `references/enforcement-layers.md`) with clear navigation tables, which is excellent structure. However, no bundle files were provided, so these references cannot be verified. The main SKILL.md itself is fairly long (~200 lines) and some of the detailed check content (especially Checks 1-6) could potentially be split into the referenced files to keep the overview leaner.	2 / 3
	Total	10 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description with excellent trigger term coverage and clear completeness. Its main weakness is that the 'what' portion could be more specific about the concrete actions performed (e.g., checking for IDOR, validating org-level scoping, auditing permission decorators). The distinctiveness is excellent due to the Sentry-specific focus.

Suggestions

Expand the capability description with more concrete actions, e.g., 'Checks for IDOR vulnerabilities, validates organization-level scoping, audits permission decorators on endpoints, and reviews serializer field exposure.'

Dimension	Reasoning	Score
Specificity	It names the domain (Sentry security review) and mentions some actions (reviewing endpoints, serializers, views for security issues), but doesn't list multiple concrete actions like 'check for IDOR vulnerabilities, validate org scoping, audit access control on serializers'. The actions remain somewhat general.	2 / 3
Completeness	Clearly answers both 'what' (Sentry-specific security review based on real vulnerability history) and 'when' (when reviewing Sentry endpoints, serializers, or views for security issues), with explicit trigger keywords listed.	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms including 'sentry security review', 'check for IDOR', 'access control review', 'org scoping', 'cross-org', 'security audit endpoint'. These are terms users would naturally use when requesting this type of review.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive — scoped specifically to Sentry's codebase and security patterns, with domain-specific triggers like 'org scoping', 'cross-org', and 'IDOR' that are unlikely to conflict with generic security or code review skills.	3 / 3
	Total	11 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: getsentry/sentry
Commit: 552fb5c

Reviewed: 24 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.