grafana-skill
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Privilege Escalation (MEDIUM): The skill provides tools to modify user permissions and promote accounts to 'Grafana Admin' via endpoints like /api/admin/users/:id/permissions. While this is a primary purpose of the management skill, it presents a significant risk if misused by an agent.
- Persistence Mechanisms (MEDIUM): The skill allows the creation of service accounts and the generation of long-lived service account tokens (POST /api/serviceaccounts/:id/tokens), which can be used to establish and maintain unauthorized persistent access.
- Indirect Prompt Injection (LOW): The skill ingests untrusted user-controlled data from Grafana that could contain malicious instructions.
- Ingestion points: Dashboard metadata, descriptions, and annotation text retrieved via GET /api/dashboards/uid/:uid and GET /api/annotations.
- Boundary markers: Absent; there are no instructions to the agent to ignore embedded commands in the data.
- Capability inventory: Full resource CRUD, user management, and local script execution via 'bun run'.
- Sanitization: Absent; the skill does not specify any escaping or validation for external content.
- Dynamic Execution (MEDIUM): The skill relies on 'bun run Tools/DashboardCrud.ts' for its core workflows. This pattern of executing local scripts based on agent-generated parameters constitutes a command execution surface.
- Data Exposure & Exfiltration (LOW): The skill facilitates the configuration of data sources with 'secureJsonData' (e.g., InfluxDB tokens, database passwords) and enables the creation of external webhooks (e.g., Slack, PagerDuty), which could be used to exfiltrate sensitive monitoring data.
Audit Metadata