Aloudata CAN SKILLS - metric-query
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent can use your CAN_API_KEY to query the Aloudata gateway for metric metadata and metric data.
The skill requires reading and using an Aloudata CAN API key to authenticate gateway requests. This is expected for the integration, but the key can grant access to account or workspace metric data.
env_vars:\n - name: "CAN_API_KEY" ... required: true ... 所有请求必须携带 API Key,通过请求头 `X-API-Key` 传递
Use a least-privilege API key, keep it out of chat transcripts, and rotate it if it is exposed.
The agent may send metric names, filters, and query bodies to Aloudata to retrieve or construct metric results.
The skill documents outbound API calls, including a POST query endpoint. This is directly related to the metric-query purpose and is limited to the declared Aloudata gateway domain.
接口: POST `https://gateway.can.aloudata.com/api/metrics/query` ... curl -X POST ... -H "X-API-Key: $CAN_API_KEY"
Review generated query bodies before sending them when the metrics or filters involve sensitive business data.
The registry summary may not fully reflect the skill’s credential requirement or exact packaged version.
The registry metadata lists version 1.0.2 while _meta.json lists 1.0.0, and the registry requirements also understate the CAN_API_KEY requirement shown in SKILL.md. This is a provenance/metadata consistency issue, not evidence of malicious behavior.
"version": "1.0.0"
Confirm you are installing the intended version and read SKILL.md’s frontmatter rather than relying only on the registry summary.