Aloudata CAN SKILLS - metric-query
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: metric-query Version: 1.0.2 The metric-query skill bundle is a legitimate tool designed to help an AI agent construct complex JSON payloads for the Aloudata CAN metrics gateway API. It contains extensive documentation and 'iron rules' to ensure the agent generates valid queries, handles relative time correctly using NOW(), and avoids common logic errors in data analysis. While the skill requires 'env:read' for an API key and 'network:outbound' to 'gateway.can.aloudata.com', these permissions are strictly aligned with its stated purpose, and no evidence of data exfiltration, malicious execution, or harmful prompt injection was found in SKILL.md or _meta.json.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent can use your CAN_API_KEY to query the Aloudata gateway for metric metadata and metric data.
The skill requires reading and using an Aloudata CAN API key to authenticate gateway requests. This is expected for the integration, but the key can grant access to account or workspace metric data.
env_vars:\n - name: "CAN_API_KEY" ... required: true ... 所有请求必须携带 API Key,通过请求头 `X-API-Key` 传递
Use a least-privilege API key, keep it out of chat transcripts, and rotate it if it is exposed.
The agent may send metric names, filters, and query bodies to Aloudata to retrieve or construct metric results.
The skill documents outbound API calls, including a POST query endpoint. This is directly related to the metric-query purpose and is limited to the declared Aloudata gateway domain.
接口: POST `https://gateway.can.aloudata.com/api/metrics/query` ... curl -X POST ... -H "X-API-Key: $CAN_API_KEY"
Review generated query bodies before sending them when the metrics or filters involve sensitive business data.
The registry summary may not fully reflect the skill’s credential requirement or exact packaged version.
The registry metadata lists version 1.0.2 while _meta.json lists 1.0.0, and the registry requirements also understate the CAN_API_KEY requirement shown in SKILL.md. This is a provenance/metadata consistency issue, not evidence of malicious behavior.
"version": "1.0.0"
Confirm you are installing the intended version and read SKILL.md’s frontmatter rather than relying only on the registry summary.