Prometheus
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Prometheus monitoring query skill, but it can use stored Prometheus credentials and persistent local configuration.
Before installing, confirm you trust the bundled Node.js scripts, use read-only or least-privilege Prometheus credentials, protect the persisted prometheus.json file, and review any workspace or current-directory config before querying production monitoring systems.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access whatever Prometheus data the configured account can read, which may include sensitive infrastructure, service, alert, and target information.
The skill can use Prometheus Basic Auth credentials from config or environment variables and attach them to Prometheus API requests.
const user = instance?.user || process.env.PROMETHEUS_USER; ... headers['Authorization'] = `Basic ${auth}`;Use least-privilege Prometheus credentials, prefer HTTPS endpoints, and verify that configured URLs are trusted before running queries.
Local configuration can steer which Prometheus servers are queried and which credentials are used, so stale or untrusted config files could affect future results.
The skill reuses persistent workspace/current-directory environment and config files to determine Prometheus URLs and credentials.
const envPaths = [ join(workspaceDir, '.env'), join(process.cwd(), '.env') ]; ... './prometheus.json', './config.json'
Keep workspace and project Prometheus config files trusted, review them before use, and consider passing an explicit --config path for sensitive environments.
Users may not realize from the registry metadata alone that the skill executes bundled JavaScript locally.
The skill relies on local Node.js scripts, while registry requirements list no required binaries and no install spec.
"engines": { "node": ">=18.0.0" }, "scripts": { "query": "node scripts/cli.js query" }Treat this as a local CLI integration: ensure Node.js is expected, run it from the intended skill directory, and review configuration before first use.