Grafana

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but transparent Grafana API skill that requires user-provided credentials and explicit approval before making changes.

Install only if you trust Maton to proxy Grafana API traffic. Use a dedicated least-privilege Grafana service account token, avoid admin tokens unless required, review every proposed write carefully, and revoke the Maton connection when you are done.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill description promises access to dashboards, data sources, folders, annotations, alerts, and teams, but the documented API surface also includes service account enumeration and plugin listing. Expanding the effective capability beyond the declared scope weakens user consent and least-privilege assumptions, because an agent could access administrative inventory data the user may not expect.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal