promql-generator
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill incorporates untrusted user data—such as metric names, label keys, and thresholds—into the logic of generated PromQL queries, creating a surface for indirect prompt injection.\n
- Ingestion points: Requirements and parameters gathered from user prompts and via the AskUserQuestion tool during the monitoring goal and parameter discovery phases (Stages 1-3).\n
- Boundary markers: The workflow mandates a 'Query Plan' stage (Stage 4) where the agent must explain the query logic in plain English and obtain user confirmation before any code is generated.\n
- Capability inventory: The skill generates PromQL queries for alerts, recording rules, and dashboards; it does not possess the capability to execute these queries directly on a server.\n
- Sanitization: The skill includes an automated validation step (Stage 6) that invokes the devops-skills:promql-validator skill to check the generated output for syntax errors and architectural anti-patterns.\n- [NO_CODE]: The skill does not include any executable scripts, binaries, or active code components. It consists entirely of instructional markdown, YAML configuration examples, and PromQL patterns.
Audit Metadata