rpe-grafana
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward read-only Grafana integration, but it needs Grafana credentials and can read dashboards and metric values that account can access.
This skill looks safe for read-only Grafana lookups when configured carefully. Before installing, make sure the Grafana URL is trusted, use a read-only Viewer-level account or token, and avoid giving it credentials that can administer Grafana or access dashboards the agent should not see.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a broad or admin Grafana account, the agent may be able to read many dashboards and metric values, even though the skill does not write to Grafana.
The skill requires Grafana account credentials, so its read access is limited by whatever permissions those credentials have.
`GRAFANA_URL` - Grafana base URL - `GRAFANA_USER` - Username - `GRAFANA_PASSWORD` - Password or API key
Use a least-privilege Grafana Viewer/service account or token scoped only to dashboards and data the agent should read, and store the secret securely.
The agent can trigger Grafana to run panel-backed datasource queries and return current or recent values visible through those panels.
The query tool executes existing panel query targets through Grafana's datasource API; this is the core advertised function, but it is still a credentialed data-access operation.
const queryRes = await grafanaFetch(url, user, password, "/api/ds/query", {
method: "POST",
body: JSON.stringify({ queries, from, to }),
});Only enable this skill for trusted Grafana instances, and keep use limited to user-requested dashboard and panel lookups.