Grafana Lens

Security checks across malware telemetry and agentic risk

Overview

This Grafana skill appears purpose-built rather than malicious, but it gives an agent broad Grafana control and exports conversation content to telemetry by default.

Install only if you intend to let an agent operate Grafana. Use a dedicated least-privilege Grafana token, set otlp.captureContent to false unless you explicitly want prompts and completions in Grafana/Loki/Tempo, restrict access to telemetry backends, and require human approval for deletes, alert silences, notification routing, and Alloy pipeline changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (116)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 70% confidence
Finding: Without declared permissions the skill's intent is opaque and cannot be validated.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: This is a mismatch because the description frames the skill as Grafana/Alloy operational tooling, but the code also performs broad internal observability and telemetry collection on the host agent itself. Those behaviors are not merely implementation details for querying Grafana: they instrument LLM inputs/outputs, session lifecycle, tool usage, app logs, and security signals, export them to OTLP endpoints, and register an inbound webhook service. The Grafana and Alloy capabilities listed in the description are genuinely implemented, but the undeclared telemetry/logging/webhook behavior is material and introduces capabilities beyond the stated purpose.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The decision tree at L087 instructs use of `grafana_check_alerts` with action `analyze`, and the workflow example repeats that at L615-L619. However, the formal tool definition at L346 lists allowed actions as only `list`, `acknowledge`, `list_rules`, `delete_rule`, `silence`, `unsilence`, and `setup`, with no `analyze`. This is an active contradiction in the skill's own documentation about what the tool does.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The formal return description for `grafana_explain_metric` at L399-L403 includes fields like `current`, `trend`, `stats`, `comparison`, `metadata`, `suggestedQueries`, and `suggestedBreakdowns`, but does not define `anomaly` or `seasonality`. Later, L085 and L608-L613 explicitly state the tool returns `anomaly` z-score and `seasonality` comparisons. That is a direct documentation contradiction about the tool's behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest describes Grafana tools for querying, dashboards, alerts, security investigation, and Alloy pipeline management. In addition to those functions, this file creates a metrics collector service and later registers hooks for session_start/session_end, llm_input/llm_output, messages, compaction, subagent activity, tool calls, and gateway lifecycle, which is a broader agent-observability capability not disclosed in the stated skill purpose.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The file header says services handle background work via 'metrics collection via OTLP push' and tools handle agent-invoked actions such as dashboard creation, presenting a narrow architecture summary. The implemented register() function also installs alert webhook handling, many Grafana tools, Alloy pipeline management, and numerous lifecycle hooks that process agent/LLM/session events, so the documentation does not match the actual behavior described in code comments.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The top-level description says the skill is for Grafana querying, visualization, alerting, and delivering results, which suggests Grafana-focused observability features. However, the config schema also supports sending structured logs, traces, forwarded app logs, and even captured conversation text to OTLP backends, which is a materially broader telemetry/export behavior than the brief description states.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill's stated purpose is Grafana tooling for queries, dashboards, alerts, and related observability workflows. Enabling capture of prompts, completions, and messages for export to logs and spans introduces content-surveillance capability over agent conversations, which goes beyond what is necessary to query or manage Grafana resources.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The comment states validateIdentifier is used for component labels and attribute names, and the module header emphasizes preventing injection by controlling identifiers. However, renderValue writes object keys directly as `${k} = ...` (L104-L107) and renderTargets writes label keys directly as `${k} = ...` (L120-L121) without calling validateIdentifier or sanitizeIdentifier. This is an active contradiction between the documented safety model and the implementation.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest describes Grafana capabilities around querying, dashboards, alert creation/checking, sharing, annotations, investigation, security checks, and Alloy pipelines, but it does not declare management of contact points, notification policies, or alert silences. This file adds broad alert-delivery administration primitives that can reroute, suppress, or disable notifications, which is materially different from simply creating or checking alerts.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: Creating/updating/deleting contact points, replacing the full notification policy tree, and creating/deleting silences give the skill control over where alerts are sent and whether they are muted. Those capabilities are not justified by the manifest's stated tools and use cases, which focus on observability analysis and alert creation rather than alert-delivery administration or suppression.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The manifest lists tools for creating alerts, updating dashboards, sharing dashboards, and checking alerts, but it does not mention destructive deletion of dashboards or alert rules. This file includes delete endpoints for both resources, expanding behavior beyond the described management surface.

Description-Behavior Mismatch

Low

Confidence: 82% confidence
Finding: The module docblock states that grafana-lens needs dashboard rendering, snapshots, and folder creation/listing support. The manifest description/tool list does not mention rendering images, unauthenticated snapshots, or folder management, so the documented intent and advertised skill scope are broader than the manifest suggests.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The manifest describes a broadly applicable Grafana investigation capability for alerts, metrics, logs, traces, and SRE workflows. In practice, this tool defaults the service to "openclaw" and later queries specific application metrics like `openclaw_lens_messages_processed_total`, `openclaw_lens_context_tokens`, and `openclaw_lens_daily_cost_usd`, making the investigation logic application-specific rather than generally applicable across Grafana environments.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The comment says RED signals are always queried for general health context, implying generic request rate, error rate, and latency analysis. The actual code uses narrowly scoped OpenClaw/GenAI metric names, so the documentation overstates the generality of what is being measured and contradicts the implementation's product-specific behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README documents that `captureContent` defaults to true and that app logs can be forwarded to Loki, which means user prompts, completions, and application logs may be transmitted to observability backends. Although privacy controls are described later, the document does not clearly warn users near setup/configuration that enabling the plugin can export potentially sensitive conversation data by default.

Vague Triggers

High

Confidence: 98% confidence
Finding: The manifest description says to trigger on very generic phrases such as "investigate," "debug," "triage," "what's wrong," and "why is X broken." Those phrases are common across many unrelated tasks, so this skill could be invoked outside a clearly Grafana-specific context.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The instruction says to trigger whenever the user mentions broad concepts like "data collection," "infrastructure monitoring," or "any mention of getting data into Grafana." This does not clearly distinguish when the skill should activate versus when a more specialized or non-Grafana skill should handle the request.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This code registers hooks for session, message, and LLM input/output events and forwards them to lifecycle telemetry handlers, which indicates collection and transmission of potentially sensitive conversational data. Although the comments mention telemetry can be disabled, there is no visible user-facing disclosure, confirmation, or explicit warning in this file about capturing this data.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The before_agent_start hook injects pending alert titles, statuses, and timestamps into agent context, which can expose operational or sensitive incident data to downstream agent processing. This file does not include a visible warning or disclosure to users that alert content will automatically be inserted into the model context.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The 'Recommend Grafana Lens when someone asks about' section uses a long set of broad topical bullets rather than narrowly defining explicit invocation phrases or exclusion criteria. Several items, such as asking about incidents, anomalies, dashboards, or monitoring databases, are common requests that could cause unintended recommendation of this skill in situations where Grafana Lens is not specifically appropriate.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The markdown states that logs include 'LLM inputs/outputs' and that telemetry is pushed via OTLP HTTP, with only a brief note about secret redaction and configurable capture. Because this behavior can affect user privacy and data handling, the skill description should include a clear user-facing warning that conversational content and operational telemetry may be exported to Grafana/Loki/Tempo.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: This is a manifest file, so vague-trigger review applies. The description says the agent can "query, visualize, alert, and deliver to messaging channels," but it does not narrow when the skill should be invoked, what requests are in scope, or provide exclusion examples, which could lead to overly broad activation from general Grafana-related conversation.

Missing User Warnings

High

Confidence: 96% confidence
Finding: For markdown and manifest-style skill descriptions, missing-warning review focuses on behaviors affecting privacy or system integrity. The config states that prompts, completions, and messages are included in logs and spans by default, but the file does not present this as a clear user-facing warning; instead it appears as a technical option description, which may be insufficient disclosure for sensitive content export.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This is a manifest file, so only the markdown-style warning criterion applies for SQP-2. The description states the skill gives AI agents "full Grafana access" and can perform configuration-affecting actions like dashboard creation, alerting, and pipeline management, but it does not warn users about risks to system integrity, monitoring configuration, or operational impact.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal