kibana-dashboards
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation mentions a setup command
curl -fsSL https://elastic.co/start-local | sh. This script is hosted on the official Elastic domain (elastic.co) and is a standard method for setting up local development environments for the author's software. - [CREDENTIALS_UNSAFE]: The tool handles authentication via environment variables (
KIBANA_API_KEY,KIBANA_PASSWORD,KIBANA_CLOUD_ID). This is standard practice for CLI-based agent skills to interact with remote services. - [COMMAND_EXECUTION]: The script
scripts/kibana-dashboards.jsuses the nativefetchAPI to perform CRUD operations on Kibana. It provides an option to disable TLS validation (KIBANA_INSECURE), which is a known security trade-off for local development. - [EXTERNAL_DOWNLOADS]: The skill references official documentation and GitHub repositories owned by Elastic. These are trusted sources for the specified author.
- [PROMPT_INJECTION]: The skill has an indirect injection surface because it ingests JSON data from external files or stdin. Ingestion points:
scripts/kibana-dashboards.js(loadSpec). Boundary markers: absent. Capability inventory: network requests (fetch) inscripts/kibana-dashboards.js. Sanitization: absent. This could allow maliciously crafted dashboard definitions to influence the agent, though its capabilities are restricted to the Kibana API.
Audit Metadata