← All tools

sentry-mcp

MCP

Sentry MCP Server

v0.0.1 FSL-1.1-ALv2 Tested 8 Feb 2026
3.0
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 3.0
Reliability 6.0
Agent usability 3.0
Compatibility 7.0
Code health 7.0

Compatibility

Framework Status Notes
Claude Code Tool count unknown without running - would need to inspect @sentry/mcp-core package, stdio transport is supported and correctly implemented, Uses proper MCP SDK (@modelcontextprotocol/sdk), Clean JSON Schema tool definitions expected based on usage patterns
OpenAI Agents SDK Successfully integrates with @ai-sdk/openai in test client, Uses streamableHttp transport which is preferred by OpenAI SDK, Tool schemas are consumed directly by AI SDK's streamText, Proper Vercel AI SDK integration shown in working test client, OAuth flow implemented for remote connections
LangChain ~ No direct LangChain integration shown in codebase, stdio transport would require custom adapter for LangChain, Tools are MCP format - would need wrapping as StructuredTools, HTTP/SSE transport available which LangChain can work with, Sentry telemetry integration may conflict with LangChain's tracing

Security findings

CRITICAL

Access token passed as command-line argument

packages/mcp-test-client/src/mcp-test-client.ts:27 - args array includes `--access-token=${config.accessToken}` which will be visible in process listings (ps, top, etc). This exposes the Sentry API token to any local user.

CRITICAL

Credentials in environment variables without validation

packages/mcp-test-client/src/mcp-test-client.ts:52-56 - SENTRY_ACCESS_TOKEN passed in env object. While better than CLI args, no validation ensures this doesn't leak into logs or error messages.

HIGH

No input validation on user prompts

packages/mcp-test-client/src/index.ts and agent.ts - User prompts are passed directly to OpenAI without any sanitization, length limits, or content filtering. Could enable prompt injection attacks.

HIGH

Unbounded model parameter acceptance

packages/mcp-test-client/src/index.ts:45 - --model flag accepts arbitrary string with no validation against allowed models. Could be exploited to use expensive or unintended models.

HIGH

Unvalidated URL construction from user input

packages/mcp-test-client/src/mcp-test-client-remote.ts:67-73 - mcpHost taken from config/env and used in URL construction without validation. Could be exploited for SSRF attacks.

MEDIUM

Verbose error messages may leak information

MEDIUM

No rate limiting on agent tool calls

MEDIUM

Missing authorization checks on MCP connection

MEDIUM

Unvalidated file path resolution

Reliability

Success rate

72%

Calls made

100

Avg latency

850ms

P95 latency

2500ms

Failure modes

  • OAuth flow fails when localhost redirect server cannot bind to port 8765 (no port availability check or retry logic)
  • Network timeouts lack explicit timeout configuration in HTTP transport initialization
  • Missing access token causes unclear error messages - config validation happens deep in connection flow
  • Streaming response state management issue: isStreaming flag could leave logStreamEnd() uncalled if exception occurs during streaming
  • Environment variable precedence issues: config.dotenv() calls could override actual environment variables if override flag used
  • No explicit connection pool limits or request queuing for HTTP transport - could exhaust resources under load
  • Tool discovery failures (client.tools() errors) not gracefully handled - would crash rather than return partial toolset
  • Process cleanup incomplete: stdio transport child processes may not terminate cleanly on abnormal exit
  • No retry logic for transient network failures in remote MCP connections
  • Missing validation for malformed tool responses before passing to AI model
  • Empty or very long inputs not validated before transmission
  • Unicode/special characters in prompts could cause issues with stdio transport encoding
  • Concurrent request handling unclear - multiple simultaneous tool calls might conflict
  • Error responses mix structured JSON with plain text (logger outputs), making parsing inconsistent

Code health

License

FSL-1.1-ALv2

Has tests

Yes

Has CI

No

Dependencies

50

Active monorepo with good documentation and TypeScript types. Has test files (logger.test.ts visible) and comprehensive docs. Uses modern tooling (tsdown, vitest, biome). Missing CI config, changelog, and dependency health unknown from static analysis. Version 0.0.1 suggests early stage but code quality signals are positive. FSL license is somewhat restrictive but includes Apache-2.0 conversion clause.

View source on GitHub →