get_event_attachment
on npm:@sentry/mcp-server@0.35.0
Severity
1 finding on this tool
- mediumindirect injectionf-r6-get_event_attachment
Tool `get_event_attachment` fetches external web content -- indirect-injection surface
Description: "Download attachments from a Sentry event. Use this tool when you need to: - Download files attached to a specific event - Access screenshots, log files, or other attachments uploaded with an error report - Retrieve attachment metadata and download URLs <examples> ### Download a specific attachment by ID ``` get_event_attachment(organizationSlug='my-organization', projectSlug='my-project', eventId='c49541c747cb4d8aa3efb70ca5aba243', attachmentId='12345') ``` ### List all attachments for an event ``` get_event_attachment(organizationSlug='my-organization', projectSlug='my-project', eventId='c49541c747cb4d8aa3efb70ca5aba243') ``` </examples> <hints> - If `attachmentId` is provided, the specific attachment will be downloaded as an embedded resource - If `attachmentId` is omitted, all attachments for the event will be listed with download information - The `projectSlug` is required to identify which project the event belongs to </hints>" -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.
fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.
OWASP LLM01NIST MEASURE-2.3ATLAS T0051
About this tool
get_event_attachment is one of 23 tools exposed by Sentry MCP. The server scored 70/100 overall against the capframe rule engine (source: sandbox). Last scanned 2026-06-05.
The findings above are emitted by the public capframe.findings.v1 schema. Disagree with one? Open an issue.