grafana-insepction
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned Grafana inspection tool, but users should review its API-key use, local report output, and packaging/documentation inconsistencies before running it.
Before running this skill, use a dedicated Viewer-scoped Grafana API key, confirm the configured Grafana URL is yours, prefer HTTPS for non-local Grafana instances, and keep generated reports private. Also note that the supplied artifacts do not clearly implement the advertised screenshot feature and include minor command/dependency inconsistencies, so verify the full script and dependencies first.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Grafana API key can expose dashboards, alerts, and datasource metadata available to that key.
The skill requires a Grafana API key for inspection. This is expected for the stated purpose and the documentation recommends Viewer scope, but users should still treat the token as account access.
`api_key` | API Key(API 巡检用) | ✅ ... 创建 Viewer 权限的 Key
Use a dedicated Viewer-scoped token, avoid admin tokens, verify the Grafana URL before running, and revoke the token when no longer needed.
Generated reports could reveal internal monitoring information if stored in a shared directory or sent to others.
Inspection results are persisted to local report files. The reports are purpose-aligned, but may contain internal Grafana dashboard, alert, and datasource details.
json_path = f"inspection_{timestamp}.json" ... json.dump(results, f, indent=2, ensure_ascii=False) ... md_path = f"inspection_{timestamp}.md"Keep generated reports private, review them before sharing, and delete them when no longer needed.
The skill may fail until dependencies are installed, and users may need to choose a trusted source for those dependencies.
The skill has no install specification or dependency declaration, but the script depends on the third-party requests package. This is a minor setup/provenance gap rather than evidence of hidden installation behavior.
import requests
Install Python dependencies from a trusted package index/environment and verify the full script contents before running.