grafana-inspector
v1.0.0Grafana 自动化巡检技能。支持浏览器截图 + API 数据巡检,多仪表盘批量巡检,自动发现仪表盘。
⭐ 0· 168·0 current·0 all-time
byken@diluke1600
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: scripts call Grafana API endpoints, discover dashboards, generate reports and screenshots. The set of files and code are consistent with a Grafana inspection tool. There are no unrelated external services or unexpected credential requests.
Instruction Scope
SKILL.md instructs editing config.json and running the Python scripts, which is expected. However: (1) some troubleshooting text and comments mention Feishu (飞书) integration, but no code that posts to external document/chat endpoints was found — this is likely leftover documentation but creates confusion; (2) requests calls in inspection_report.py use verify=False (TLS verification disabled), which is a security risk (man-in-the-middle) and should be intentional only for internal/trusted networks; (3) the provided scripts, example config, and included config.json are inconsistent (keys like dashboard_uids vs dashboard_uid, discover_limit present in example but missing in the included config.json), which can cause incorrect behavior or user misconfiguration; (4) the displayed api_inspect.py snippet in the listing appears truncated (syntax cut mid-token) — if the shipped file contains such truncation it would raise import/runtime errors. These issues broaden the runtime scope beyond what's documented and increase risk of mistakes.
Install Mechanism
Instruction-only skill (no install spec). The code is shipped with the skill; no remote downloads or package installs are performed automatically. This is lower risk from an install mechanism perspective.
Credentials
The tool requires Grafana credentials (API key or username/password) to function — this is expected and proportionate. The skill requires no platform environment variables or unrelated credentials. Note: credentials are read from a local config file (config.json) rather than environment variables; make sure you store the API key with least-privilege (Viewer) and protect the file. Also note the mismatch between SKILL.md/example config keys and the included config.json which may lead to misconfiguration and accidentally leaving credentials in the wrong file or location.
Persistence & Privilege
always is false and the skill does not request any special platform persistence or modify other skills. It writes report files to the working directory (screenshots/reports), which is expected behavior for a reporting tool.
What to consider before installing
This skill is plausibly what it claims to be, but review and fix a few things before running it in production:
- Configuration: The SKILL.md and config.example.json use keys like "dashboard_uids" and "discover_limit", but the included scripts/config.json uses different keys (e.g., "dashboard_uid"). Fix or reconcile the config file so the scripts read the intended fields.
- Credentials: Provide a Grafana API key with the minimum necessary permissions (Viewer) and store config.json securely. The tool supports username/password in config but using API keys is preferable. The skill does not request platform env vars, but the config file contains secrets — treat it accordingly.
- TLS verification: inspection_report.py disables TLS verification (requests(..., verify=False)). This makes HTTPS connections susceptible to MITM. If your Grafana endpoint has valid TLS, change verify to True; if you must disable verification for internal tooling, accept the risk and limit network exposure.
- Leftover references: The docs mention Feishu integration; no evidence in the code of outbound posting. Treat these as stale comments but confirm no hidden endpoints (you can grep for remote URLs or 'requests.post' calls before running).
- Code integrity: The provided listing shows a truncated snippet of api_inspect.py. Ensure the repository's files are complete and syntactically correct; a broken module could raise import errors. Run the scripts in a safe environment first.
- Scope and network: The tool only talks to the Grafana URL you configure. Only point it at Grafana instances you control or trust. Do not run against public/unknown Grafana endpoints with privileged keys.
If you are not comfortable fixing the issues above, ask the skill author to: provide a single consistent config example, remove verify=False or make it configurable, remove stale Feishu references or implement them clearly, and confirm the shipped code files are complete and validated.scripts/config.json:2
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latest
Grafana 自动化巡检技能
快速开始
# 1. 配置
cd skills/grafana-inspector/scripts
cp config.example.json config.json
# 编辑 config.json
# 2. 执行
python main.py config.json
# 或在 OpenClaw 中输入
执行 Grafana 巡检
配置说明
{
"grafana_url": "http://localhost:3000",
"api_key": "",
"dashboard_uids": [],
"auto_discover": true,
"discover_limit": 10,
"inspection_mode": "hybrid",
"screenshot_dir": "./screenshots"
}
| 参数 | 说明 | 必填 |
|---|---|---|
grafana_url | Grafana 地址 | ✅ |
api_key | API Key(API 巡检用) | ✅ |
dashboard_uids | 仪表盘 UID 列表 | ❌ |
auto_discover | 自动发现仪表盘 | ❌ |
discover_limit | 最多巡检数量 | ❌ |
使用方式
方式 1:命令行
cd skills/grafana-inspector/scripts
python inspect_report.py config.json
方式 2:OpenClaw
执行 Grafana 巡检
输出
inspection_*.json- JSON 结果inspection_*.md- Markdown 报告
获取 Dashboard UID
- 打开 Grafana 仪表盘
- 查看 URL:
https://grafana/d/{UID}/{name} - 复制 UID 部分
获取 API Key
- Grafana → Configuration → API keys
- 创建 Viewer 权限的 Key
- 复制到配置
文件结构
grafana-inspector/
├── scripts/
│ ├── api_inspect.py # API 巡检
│ ├── main.py # 主脚本
│ └── config.json # 配置
├── screenshots/ # 截图
├── SKILL.md # 技能定义
└── README.md # 说明文档
故障排查
API 连接失败
- 检查 API Key 是否正确
- 验证网络连接
- 确认 Grafana 服务正常
- 检查飞书授权状态
Comments
Loading comments...