grafana-inspector

This skill is plausibly what it claims to be, but review and fix a few things before running it in production: - Configuration: The SKILL.md and config.example.json use keys like "dashboard_uids" and "discover_limit", but the included scripts/config.json uses different keys (e.g., "dashboard_uid"). Fix or reconcile the config file so the scripts read the intended fields. - Credentials: Provide a Grafana API key with the minimum necessary permissions (Viewer) and store config.json securely. The tool supports username/password in config but using API keys is preferable. The skill does not request platform env vars, but the config file contains secrets — treat it accordingly. - TLS verification: inspection_report.py disables TLS verification (requests(..., verify=False)). This makes HTTPS connections susceptible to MITM. If your Grafana endpoint has valid TLS, change verify to True; if you must disable verification for internal tooling, accept the risk and limit network exposure. - Leftover references: The docs mention Feishu integration; no evidence in the code of outbound posting. Treat these as stale comments but confirm no hidden endpoints (you can grep for remote URLs or 'requests.post' calls before running). - Code integrity: The provided listing shows a truncated snippet of api_inspect.py. Ensure the repository's files are complete and syntactically correct; a broken module could raise import errors. Run the scripts in a safe environment first. - Scope and network: The tool only talks to the Grafana URL you configure. Only point it at Grafana instances you control or trust. Do not run against public/unknown Grafana endpoints with privileged keys. If you are not comfortable fixing the issues above, ask the skill author to: provide a single consistent config example, remove verify=False or make it configurable, remove stale Feishu references or implement them clearly, and confirm the shipped code files are complete and validated.