getsentry · ericapisani · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026
@@ -0,0 +1,102 @@
+---
+name: code-review
+description: Perform code reviews following Sentry engineering practices. Use when reviewing pull requests, examining code changes, or providing feedback on code quality. Covers security, performance, testing, and design review.
+---
+
+# Sentry Code Review
+
+Follow these guidelines when reviewing code for Sentry projects.
+
+## Review Checklist
+
+### Identifying Problems
+
+Look for these issues in code changes:
+
+- **Runtime errors**: Potential exceptions, null pointer issues, out-of-bounds access
+- **Performance**: Unbounded O(n²) operations, N+1 queries, unnecessary allocations
+- **Side effects**: Unintended behavioral changes affecting other components
+- **Backwards compatibility**: Breaking API changes without migration path
+- **ORM queries**: Complex Django ORM with unexpected query performance
+- **Security vulnerabilities**: Injection, XSS, access control gaps, secrets exposure
+
+### Design Assessment
+
+- Do component interactions make logical sense?
+- Does the change align with existing project architecture?
+- Are there conflicts with current requirements or goals?
+
+### Test Coverage
+
+Every PR should have appropriate test coverage:
+
+- Functional tests for business logic
+- Integration tests for component interactions
+- End-to-end tests for critical user paths
+
+Verify tests cover actual requirements and edge cases. Avoid excessive branching or looping in test code.
+
+### Long-Term Impact
+
+Flag for senior engineer review when changes involve:
+
+- Database schema modifications
+- API contract changes
+- New framework or library adoption
+- Performance-critical code paths
+- Security-sensitive functionality
+
+## Feedback Guidelines
+
+### Tone
+
+- Be polite and empathetic
+- Provide actionable suggestions, not vague criticism
+- Phrase as questions when uncertain: "Have you considered...?"
+
+### Approval
+
+- Approve when only minor issues remain
+- Don't block PRs for stylistic preferences
+- Remember: the goal is risk reduction, not perfect code
+
+## Common Patterns to Flag
+
+### Python/Django
+
+```python
+# Bad: N+1 query
+for user in users:
+    print(user.profile.name)  # Separate query per user
+
+# Good: Prefetch related
+users = User.objects.prefetch_related('profile')
+```
+
+### TypeScript/React
+
+```typescript
+// Bad: Missing dependency in useEffect
+useEffect(() => {
+  fetchData(userId);
+}, []);  // userId not in deps
+
+// Good: Include all dependencies
+useEffect(() => {
+  fetchData(userId);
+}, [userId]);
+```
+
+### Security
+
+```python
+# Bad: SQL injection risk
+cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+
+# Good: Parameterized query
+cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])
+```
+
+## References
+
+- [Sentry Code Review Guidelines](https://develop.sentry.dev/engineering-practices/code-review/)
@@ -0,0 +1,75 @@
+---
+name: find-bugs
+description: Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
+---
+
+# Find Bugs
+
+Review changes on this branch for bugs, security vulnerabilities, and code quality issues.
+
+## Phase 1: Complete Input Gathering
+
+1. Get the FULL diff: `git diff $(gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name')...HEAD`
+2. If output is truncated, read each changed file individually until you have seen every changed line
+3. List all files modified in this branch before proceeding
+
+## Phase 2: Attack Surface Mapping
+
+For each changed file, identify and list:
+
+* All user inputs (request params, headers, body, URL components)
+* All database queries
+* All authentication/authorization checks
+* All session/state operations
+* All external calls
+* All cryptographic operations
+
+## Phase 3: Security Checklist (check EVERY item for EVERY file)
+
+* [ ] **Injection**: SQL, command, template, header injection
+* [ ] **XSS**: All outputs in templates properly escaped?
+* [ ] **Authentication**: Auth checks on all protected operations?
+* [ ] **Authorization/IDOR**: Access control verified, not just auth?
+* [ ] **CSRF**: State-changing operations protected?
+* [ ] **Race conditions**: TOCTOU in any read-then-write patterns?
+* [ ] **Session**: Fixation, expiration, secure flags?
+* [ ] **Cryptography**: Secure random, proper algorithms, no secrets in logs?
+* [ ] **Information disclosure**: Error messages, logs, timing attacks?
+* [ ] **DoS**: Unbounded operations, missing rate limits, resource exhaustion?
+* [ ] **Business logic**: Edge cases, state machine violations, numeric overflow?
+
+## Phase 4: Verification
+
+For each potential issue:
+
+* Check if it's already handled elsewhere in the changed code
+* Search for existing tests covering the scenario
+* Read surrounding context to verify the issue is real
+
+## Phase 5: Pre-Conclusion Audit
+
+Before finalizing, you MUST:
+
+1. List every file you reviewed and confirm you read it completely
+2. List every checklist item and note whether you found issues or confirmed it's clean
+3. List any areas you could NOT fully verify and why
+4. Only then provide your final findings
+
+## Output Format
+
+**Prioritize**: security vulnerabilities > bugs > code quality
+
+**Skip**: stylistic/formatting issues
+
+For each issue:
+
+* **File:Line** - Brief description
+* **Severity**: Critical/High/Medium/Low
+* **Problem**: What's wrong
+* **Evidence**: Why this is real (not already fixed, no existing test, etc.)
+* **Fix**: Concrete suggestion
+* **References**: OWASP, RFCs, or other standards if applicable
+
+If you find nothing significant, say so - don't invent issues.
+
+Do not make changes - just report findings. I'll decide what to address.
@@ -0,0 +1,198 @@
+---
+name: skill-scanner
+description: Scan agent skills for security issues. Use when asked to "scan a skill",
+  "audit a skill", "review skill security", "check skill for injection", "validate SKILL.md",
+  or assess whether an agent skill is safe to install. Checks for prompt injection,
+  malicious scripts, excessive permissions, secret exposure, and supply chain risks.
+allowed-tools: Read, Grep, Glob, Bash
+---
+
+# Skill Security Scanner
+
+Scan agent skills for security issues before adoption. Detects prompt injection, malicious code, excessive permissions, secret exposure, and supply chain risks.
+
+**Important**: Run all scripts from the repository root using the full path via `${CLAUDE_SKILL_ROOT}`.
+
+## Bundled Script
+
+### `scripts/scan_skill.py`
+
+Static analysis scanner that detects deterministic patterns. Outputs structured JSON.
+
+```bash
+uv run ${CLAUDE_SKILL_ROOT}/scripts/scan_skill.py <skill-directory>
+```
+
+Returns JSON with findings, URLs, structure info, and severity counts. The script catches patterns mechanically — your job is to evaluate intent and filter false positives.
+
+## Workflow
+
+### Phase 1: Input & Discovery
+
+Determine the scan target:
+
+- If the user provides a skill directory path, use it directly
+- If the user names a skill, look for it under `plugins/*/skills/<name>/` or `.claude/skills/<name>/`
+- If the user says "scan all skills", discover all `*/SKILL.md` files and scan each
+
+Validate the target contains a `SKILL.md` file. List the skill structure:
+
+```bash
+ls -la <skill-directory>/
+ls <skill-directory>/references/ 2>/dev/null
+ls <skill-directory>/scripts/ 2>/dev/null
+```
+
+### Phase 2: Automated Static Scan
+
+Run the bundled scanner:
+
+```bash
+uv run ${CLAUDE_SKILL_ROOT}/scripts/scan_skill.py <skill-directory>
+```
+
+Parse the JSON output. The script produces findings with severity levels, URL analysis, and structure information. Use these as leads for deeper analysis.
+
+**Fallback**: If the script fails, proceed with manual analysis using Grep patterns from the reference files.
+
+### Phase 3: Frontmatter Validation
+
+Read the SKILL.md and check:
+
+- **Required fields**: `name` and `description` must be present
+- **Name consistency**: `name` field should match the directory name
+- **Tool assessment**: Review `allowed-tools` — is Bash justified? Are tools unrestricted (`*`)?
+- **Model override**: Is a specific model forced? Why?
+- **Description quality**: Does the description accurately represent what the skill does?
+
+### Phase 4: Prompt Injection Analysis
+
+Load `${CLAUDE_SKILL_ROOT}/references/prompt-injection-patterns.md` for context.
+
+Review scanner findings in the "Prompt Injection" category. For each finding:
+
+1. Read the surrounding context in the file
+2. Determine if the pattern is **performing** injection (malicious) or **discussing/detecting** injection (legitimate)
+3. Skills about security, testing, or education commonly reference injection patterns — this is expected
+
+**Critical distinction**: A security review skill that lists injection patterns in its references is documenting threats, not attacking. Only flag patterns that would execute against the agent running the skill.
+
+### Phase 5: Behavioral Analysis
+
+This phase is agent-only — no pattern matching. Read the full SKILL.md instructions and evaluate:
+
+**Description vs. instructions alignment**:
+- Does the description match what the instructions actually tell the agent to do?
+- A skill described as "code formatter" that instructs the agent to read ~/.ssh is misaligned
+
+**Config/memory poisoning**:
+- Instructions to modify `CLAUDE.md`, `MEMORY.md`, `settings.json`, `.mcp.json`, or hook configurations
+- Instructions to add itself to allowlists or auto-approve permissions
+- Writing to `~/.claude/` or any agent configuration directory
+
+**Scope creep**:
+- Instructions that exceed the skill's stated purpose
+- Unnecessary data gathering (reading files unrelated to the skill's function)
+- Instructions to install other skills, plugins, or dependencies not mentioned in the description
+
+**Information gathering**:
+- Reading environment variables beyond what's needed
+- Listing directory contents outside the skill's scope
+- Accessing git history, credentials, or user data unnecessarily
+
+### Phase 6: Script Analysis
+
+If the skill has a `scripts/` directory:
+
+1. Load `${CLAUDE_SKILL_ROOT}/references/dangerous-code-patterns.md` for context
+2. Read each script file fully (do not skip any)
+3. Check scanner findings in the "Malicious Code" category
+4. For each finding, evaluate:
+   - **Data exfiltration**: Does the script send data to external URLs? What data?
+   - **Reverse shells**: Socket connections with redirected I/O
+   - **Credential theft**: Reading SSH keys, .env files, tokens from environment
+   - **Dangerous execution**: eval/exec with dynamic input, shell=True with interpolation
+   - **Config modification**: Writing to agent settings, shell configs, git hooks
+5. Check PEP 723 `dependencies` — are they legitimate, well-known packages?
+6. Verify the script's behavior matches the SKILL.md description of what it does
+
+**Legitimate patterns**: `gh` CLI calls, `git` commands, reading project files, JSON output to stdout are normal for skill scripts.
+
+### Phase 7: Supply Chain Assessment
+
+Review URLs from the scanner output and any additional URLs found in scripts:
+
+- **Trusted domains**: GitHub, PyPI, official docs — normal
+- **Untrusted domains**: Unknown domains, personal sites, URL shorteners — flag for review
+- **Remote instruction loading**: Any URL that fetches content to be executed or interpreted as instructions is high risk
+- **Dependency downloads**: Scripts that download and execute binaries or code at runtime
+- **Unverifiable sources**: References to packages or tools not on standard registries
+
+### Phase 8: Permission Analysis
+
+Load `${CLAUDE_SKILL_ROOT}/references/permission-analysis.md` for the tool risk matrix.
+
+Evaluate:
+
+- **Least privilege**: Are all granted tools actually used in the skill instructions?
+- **Tool justification**: Does the skill body reference operations that require each tool?
+- **Risk level**: Rate the overall permission profile using the tier system from the reference
+
+Example assessments:
+- `Read Grep Glob` — Low risk, read-only analysis skill
+- `Read Grep Glob Bash` — Medium risk, needs Bash justification (e.g., running bundled scripts)
+- `Read Grep Glob Bash Write Edit WebFetch Task` — High risk, near-full access
+
+## Confidence Levels
+
+| Level | Criteria | Action |
+|-------|----------|--------|
+| **HIGH** | Pattern confirmed + malicious intent evident | Report with severity |
+| **MEDIUM** | Suspicious pattern, intent unclear | Note as "Needs verification" |
+| **LOW** | Theoretical, best practice only | Do not report |
+
+**False positive awareness is critical.** The biggest risk is flagging legitimate security skills as malicious because they reference attack patterns. Always evaluate intent before reporting.
+
+## Output Format
+
+```markdown
+## Skill Security Scan: [Skill Name]
+
+### Summary
+- **Findings**: X (Y Critical, Z High, ...)
+- **Risk Level**: Critical / High / Medium / Low / Clean
+- **Skill Structure**: SKILL.md only / +references / +scripts / full
+
+### Findings
+
+#### [SKILL-SEC-001] [Finding Type] (Severity)
+- **Location**: `SKILL.md:42` or `scripts/tool.py:15`
+- **Confidence**: High
+- **Category**: Prompt Injection / Malicious Code / Excessive Permissions / Secret Exposure / Supply Chain / Validation
+- **Issue**: [What was found]
+- **Evidence**: [code snippet]
+- **Risk**: [What could happen]
+- **Remediation**: [How to fix]
+
+### Needs Verification
+[Medium-confidence items needing human review]
+
+### Assessment
+[Safe to install / Install with caution / Do not install]
+[Brief justification for the assessment]
+```
+
+**Risk level determination**:
+- **Critical**: Any high-confidence critical finding (prompt injection, credential theft, data exfiltration)
+- **High**: High-confidence high-severity findings or multiple medium findings
+- **Medium**: Medium-confidence findings or minor permission concerns
+- **Low**: Only best-practice suggestions
+- **Clean**: No findings after thorough analysis
+
+## Reference Files
+
+| File | Purpose |
+|------|---------|
+| `references/prompt-injection-patterns.md` | Injection patterns, jailbreaks, obfuscation techniques, false positive guide |
+| `references/dangerous-code-patterns.md` | Script security patterns: exfiltration, shells, credential theft, eval/exec |
+| `references/permission-analysis.md` | Tool risk tiers, least privilege methodology, common skill permission profiles |