sentry-security
Sentry-specific security review based on real vulnerability history. Use when reviewing Sentry endpoints, serializers, or views for security issues. Trigger keywords: "sentry security review", "check for IDOR", "access control review", "org scoping", "cross-org", "security audit endpoint".
68
83%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description with excellent trigger term coverage and clear completeness. Its main weakness is that the 'what' portion could be more specific about the concrete actions performed (e.g., checking for IDOR, validating org-level scoping, auditing permission decorators). The distinctiveness is excellent due to the Sentry-specific focus.
Suggestions
Expand the capability description with more concrete actions, e.g., 'Checks for IDOR vulnerabilities, validates organization-level scoping, audits permission decorators on endpoints, and reviews serializer field exposure.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (Sentry security review) and mentions some actions (reviewing endpoints, serializers, views for security issues), but doesn't list multiple concrete actions like 'check for IDOR vulnerabilities, validate org scoping, audit access control on serializers'. The actions remain somewhat general. | 2 / 3 |
Completeness | Clearly answers both 'what' (Sentry-specific security review based on real vulnerability history) and 'when' (when reviewing Sentry endpoints, serializers, or views for security issues), with explicit trigger keywords listed. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms including 'sentry security review', 'check for IDOR', 'access control review', 'org scoping', 'cross-org', 'security audit endpoint'. These are terms users would naturally use when requesting this type of review. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive — scoped specifically to Sentry's codebase and security patterns, with domain-specific triggers like 'org scoping', 'cross-org', and 'IDOR' that are unlikely to conflict with generic security or code review skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, domain-specific security review skill that encodes real vulnerability patterns from Sentry's history into a structured, actionable workflow. Its greatest strengths are the concrete code patterns, the rigorous multi-layer enforcement tracing, and the calibrated confidence system that prevents false positives. The main weakness is that the referenced bundle files are missing, making it impossible to verify the progressive disclosure structure, and the main file could be slightly more concise by pushing detailed check content into those references.
Suggestions
Provide the referenced bundle files (endpoint-patterns.md, serializer-patterns.md, enforcement-layers.md, etc.) so the progressive disclosure structure actually functions and detailed check patterns can be offloaded from the main SKILL.md.
Consider moving the detailed descriptions of Checks 1-6 into their respective reference files, keeping only a summary table with red-flag signatures in the main SKILL.md to improve conciseness.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient and domain-specific, avoiding generic OWASP theory as promised. However, some sections are slightly verbose — e.g., the confidence table and some check descriptions could be tightened. The repeated emphasis on 'do not report LOW' appears multiple times in slightly different forms. | 2 / 3 |
Actionability | Highly actionable with concrete trace flows, specific red-flag code patterns (e.g., `Model.objects.get(id=request.data["something_id"])` without org scope), safe pattern examples, a 7-layer enforcement checklist, and a complete output template with fix code requirements. The guidance is specific to Sentry's codebase and directly executable. | 3 / 3 |
Workflow Clarity | The 4-step workflow is clearly sequenced (Classify → Check → Trace → Report) with explicit validation checkpoints. Step 3 is a thorough verification/feedback loop requiring tracing through all 7 enforcement layers before confirming a finding. The confidence downgrade from HIGH to MEDIUM when unable to fully confirm acts as a built-in safety checkpoint. | 3 / 3 |
Progressive Disclosure | The skill references 5 specific reference files (e.g., `references/endpoint-patterns.md`, `references/enforcement-layers.md`) with clear navigation tables, which is excellent structure. However, no bundle files were provided, so these references cannot be verified. The main SKILL.md itself is fairly long (~200 lines) and some of the detailed check content (especially Checks 1-6) could potentially be split into the referenced files to keep the overview leaner. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- getsentry/sentry
- Commit
552fb5c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.