Promql Cli
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward Prometheus query helper that uses expected CLI tools and explicitly warns users not to pass credentials through the model.
Before installing, confirm you trust the promql-cli and jq packages, configure Prometheus credentials yourself with least privilege, and remember that metric queries can reveal sensitive operational details even though the skill itself does not show suspicious behavior.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may retrieve operational metrics from whatever Prometheus endpoint the local promql configuration can access.
The skill authorizes running the promql CLI and provides examples for querying a configured Prometheus-compatible system. This is central to the stated purpose, but users should recognize that the agent can execute metric queries against the configured host.
allowed-tools: Read Edit Write Glob Grep Agent Bash(promql:*) ... Quick Command Reference ... promql 'up' ... promql metrics
Use this only with intended Prometheus hosts, keep queries scoped, and avoid asking the agent to run broad or expensive range queries unless needed.
If your local promql configuration contains powerful tokens, the CLI can query whatever those tokens permit.
The skill acknowledges that Prometheus credentials may be used by the CLI, but it also instructs the agent not to create credential files or handle tokens directly.
Store credentials in `~/.promql-cli.yaml` and `~/.promql_token`, chmod 600 ... do not create config files on behalf of the user ... credentials ... must never pass through an LLM.
Use least-privilege Prometheus credentials, keep token files permission-restricted, and do not paste tokens into chat.
Installing the skill requires trusting the external promql-cli and jq packages from their package sources.
The skill relies on external CLI dependencies installed through Go and Homebrew. This is expected for the purpose, but the external package contents were not included in the provided artifacts.
[0] go | package: github.com/nalbury/promql-cli | creates binaries: promql; [1] brew | formula: jq | creates binaries: jq
Install from trusted package managers, review the upstream project if your environment is sensitive, and pin versions where your deployment process supports it.