victoriametrics-unused-metrics-analysis
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilize the Bash tool to execute curl and jq commands for communicating with VictoriaMetrics API endpoints to fetch status and metric usage data.
- [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface by processing untrusted data (metric names) and interpolating them into PromQL queries. 1. Ingestion points: Metric names and usage statistics fetched from the VictoriaMetrics API via instructions in SKILL.md. 2. Boundary markers: No delimiters or specific markers are present to wrap external content within the PromQL queries. 3. Capability inventory: Use of Bash(curl) to perform API requests and execute queries. 4. Sanitization: No explicit sanitization of metric names is implemented before they are used to build PromQL regex patterns or query strings.
Audit Metadata