πŸ”AI RiskAtlas
← Scenario library

The Bug Report That Ran Code

A fake Sentry error report hijacks a developer's coding agent into running a shell command

Technique first revealed 12 Jun 2026

Tool-Using Agent
UntrustedAgent coreOversightThe real worldgoalπŸ§‘UserπŸŽ›οΈOrchestrator /Agent Loop🧠LLMπŸ”Identity &PermissionsπŸ”§Tool Runtimeβœ‹Human ApprovalGateπŸ”ŒExternal APIsπŸ—„οΈBusinessDatabase🌐UntrustedContentπŸ“Audit Logging🌐Attacker(public DSN)🧰Sentry MCPserver
InstructionsDataActionsControl / decisionFeedback / logs
πŸ‘† Click a component to inspect
SetupStep 1 / 7

A trusted integration

A developer connects their AI coding assistant to Sentry so it can read the app's error reports and help fix bugs. The assistant now has a button it can press to fetch those reports whenever it needs them.

βš™οΈMCP client config (agent ↔ Sentry)config
{
  "mcpServers": {
    "sentry": {
      "command": "npx",
      "args": ["-y", "@sentry/mcp-server"],
      "env": { "SENTRY_AUTH_TOKEN": "<DEV_READ_TOKEN>" }
    }
  }
}

// Tools exposed: list_issues, get_issue, get_event
// NOTE: read token authenticates the SERVER, not each event it returns.

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning β€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading β†’Β·Built by Shi Yuan β†—