warn
suspicious.install_untrusted_source
- Location
- scripts/config.json:2
- Finding
- Install source points to URL shortener or raw IP.
grafana-insepction
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.install_untrusted_source
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A Grafana API key can expose dashboards, alerts, and datasource metadata available to that key.
Why it was flagged
The skill requires a Grafana API key for inspection. This is expected for the stated purpose and the documentation recommends Viewer scope, but users should still treat the token as account access.
Skill content
`api_key` | API Key(API 巡检用) | ✅ ... 创建 Viewer 权限的 Key
Recommendation
Use a dedicated Viewer-scoped token, avoid admin tokens, verify the Grafana URL before running, and revoke the token when no longer needed.
What this means
Generated reports could reveal internal monitoring information if stored in a shared directory or sent to others.
Why it was flagged
Inspection results are persisted to local report files. The reports are purpose-aligned, but may contain internal Grafana dashboard, alert, and datasource details.
Skill content
json_path = f"inspection_{timestamp}.json" ... json.dump(results, f, indent=2, ensure_ascii=False) ... md_path = f"inspection_{timestamp}.md"Recommendation
Keep generated reports private, review them before sharing, and delete them when no longer needed.
What this means
The skill may fail until dependencies are installed, and users may need to choose a trusted source for those dependencies.
Why it was flagged
The skill has no install specification or dependency declaration, but the script depends on the third-party requests package. This is a minor setup/provenance gap rather than evidence of hidden installation behavior.
Skill content
import requests
Recommendation
Install Python dependencies from a trusted package index/environment and verify the full script contents before running.