grafana-prometheus

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes multiple examples that embed credentials verbatim (e.g., curl with http://admin:admin@..., GF_SECURITY_ADMIN_PASSWORD in docker-compose, GRAFANA_API_TOKEN in mcp.json, pagerduty/slack keys and webhook URLs), which requires the LLM to handle and potentially output secret values directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The MCP configuration invokes "npx -y @grafana/mcp-server" at runtime, which fetches and executes remote npm package code (@grafana/mcp-server from the npm registry) as a required dependency, so this external fetch can execute remote code.