ClawHub
Back to skill
v1.0.2

rpe-grafana

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:57 AM.

Analysis

This skill appears to do what it says—read Grafana dashboards and panel values—but it needs Grafana credentials, so it should be configured with a read-only account.

GuidanceInstall only if you are comfortable letting the agent read Grafana dashboards available to the configured account. Use a Viewer or otherwise least-privileged Grafana credential, avoid admin credentials, and use HTTPS or local-only access for Basic Auth.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
index.js
const queryRes = await grafanaFetch(url, user, password, "/api/ds/query", { method: "POST", body: JSON.stringify({ queries, from, to }) });

The tool can ask Grafana to execute stored panel queries through the datasource query API. It is scoped to existing dashboard panels rather than arbitrary user-supplied query text.

User impactWhen invoked, the agent can retrieve metric values from existing Grafana panels and may create normal query load on Grafana or its datasources.
RecommendationKeep the account read-only, use reasonable time ranges, and monitor usage if Grafana dashboards contain sensitive or high-load queries.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
index.js
user: pc.user || process.env.GRAFANA_USER || "admin", password: pc.password || process.env.GRAFANA_PASSWORD || "", ... Authorization: basicAuth(user, password)

The skill uses configured or environment Grafana credentials and sends them in an Authorization header for Grafana API requests.

User impactThe agent can read whatever dashboards, panels, and datasource-backed metric values the configured Grafana account is allowed to access.
RecommendationUse a least-privilege Grafana Viewer account or limited token, avoid admin credentials, and prefer secure secret storage and HTTPS for non-local Grafana URLs.