@kansodata/kansodata-grafana-plugin
OpenClaw plugin and operational skill for secure Grafana read-only diagnostics with gated future write operations.
Install
$
openclaw plugins install clawhub:@kansodata/kansodata-grafana-plugin@kansodata/kansodata-grafana-plugin
OpenClaw external plugin and operational skill for secure Grafana diagnostics.
Current Scope (v0.1.0)
This version is read-focused and hardened by default:
- Read-only Grafana API tools for health, dashboards, datasources, alert rules, and folders
- Explicit action gates with fail-closed defaults for future write operations
- Config validation, token redaction, normalized HTTP errors, and timeout controls
- Operational skill for inspect/diagnose/propose workflows
Not Included Yet
- Real write operations (create/update dashboards or alert rules)
- Destructive actions (delete dashboards/rules)
- Grafana user/role/permission administration
Prerequisites
- Node.js
>=22.14.0 - Access to a Grafana instance API
- Grafana service-account token with minimum required read permissions
Install
npm install
npm run build
Configuration
Primary configuration comes from env vars (or OpenClaw plugin config with same keys).
| Variable | Required | Default | Description |
|---|---|---|---|
GRAFANA_URL | Yes | - | Grafana base URL (HTTPS recommended; strict TLS default). |
GRAFANA_TOKEN | Yes | - | Grafana service-account token. |
GRAFANA_ORG_ID | No | unset | Optional org context header (X-Grafana-Org-Id). |
GRAFANA_TIMEOUT_MS | No | 10000 | Request timeout in ms (1000-60000). |
GRAFANA_TLS_STRICT | No | true | If true, only HTTPS URL accepted. |
Action Gates (default policy)
{
"read": true,
"create": false,
"update": false,
"delete": false,
"alerting_write": false
}
Available Tools
Read-only tools:
grafana_health_checkgrafana_list_dashboardsgrafana_get_dashboardgrafana_export_dashboard_jsongrafana_list_datasourcesgrafana_list_alert_rulesgrafana_list_folders
Future-write stubs (explicitly disabled in v1):
grafana_create_dashboardgrafana_update_dashboardgrafana_clone_dashboardgrafana_create_alert_rulegrafana_update_alert_rule
Usage Examples
See:
docs/examples.mddocs/scope.mdskills/kansodata-grafana-authoring-operations/SKILL.md
Alert Rules Compatibility
grafana_list_alert_rules now uses safe endpoint fallback:
GET /api/v1/provisioning/alert-rules(primary)GET /api/alert-rules(legacy fallback on 404)
The client also maps non-array grouped payloads into a flat compact output for agents.
Security Posture
- No token logging (redaction helper enforced)
- No sensitive header dump
- Fail-closed on invalid config
- Safe error normalization for 401/403/404/5xx and timeout
- Read-only by default with explicit gates for future writes
Quality Commands
npm run lint
npm run typecheck
npm run build
npm test
npm pack
Optional Real Integration Validation
When GRAFANA_URL and GRAFANA_TOKEN are available, integration tests run:
npm test
If env vars are missing, integration tests are skipped automatically and only unit tests run.
Short Roadmap
- Implement gated
create/updatewith dry-run and policy checks. - Add diff-based dashboard proposal/apply flow.
- Add alert rule proposal/apply flow with stronger context checks.
- Expand integration tests with real Grafana sandbox environment.
