grafana-inspector Security Report — Low Risk | ClawSafe

20 /100

grafana-inspector

Grafana 自动化巡检技能。支持浏览器截图 + API 数据巡检，多仪表盘批量巡检，自动发现仪表盘

Grafana automation inspection skill with legitimate API-based monitoring behavior; minor documentation inconsistency (browser screenshot mentioned but not implemented) and SSL verification disabled, but no malicious functionality detected.

Skill Namegrafana-inspector

Duration37.3s

Enginepi

✓

Safe to install

Pin the requests library version, enable SSL verification (remove verify=False), and align SKILL.md documentation with actual implementation to eliminate misleading descriptions.

Findings 3 items

Severity	Finding	Location
Low	Documentation claims browser screenshot capability not implemented Doc Mismatch SKILL.md advertises '支持浏览器截图 + API 数据巡检' but no browser automation code (Selenium, Playwright, Puppeteer) exists in any Python file. All inspection is purely API-based. This is a doc-to-code mismatch. `支持浏览器截图 + API 数据巡检` → Remove browser screenshot claims from documentation or implement the actual feature.	`SKILL.md:4`
Medium	SSL verification disabled in HTTP requests Sensitive Access inspection_report.py sets verify=False in all requests.get() calls, disabling SSL certificate validation and exposing API communications to man-in-the-middle attacks. `verify=False` → Remove verify=False or set verify=True. If self-signed certs are needed, explicitly point to the cert file.	`scripts/inspection_report.py:77`
Low	No pinned dependency versions Supply Chain The skill uses the requests library but does not specify a version or pin it in any dependency file. This allows potentially vulnerable versions to be installed. `import requests` → Add a requirements.txt or pyproject.toml with pinned versions, e.g., requests>=2.31.0.	`scripts/api_inspect.py:6`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	scripts/api_inspect.py:26 requests.get(...)
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/main.py:53 open(json_path, 'w')
Shell	`NONE`	`NONE`	—	No subprocess/shell calls found
Environment	`NONE`	`NONE`	—	No os.environ access
Skill Invoke	`NONE`	`NONE`	—	No skill_invoke calls found
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`READ`	`NONE`	✓ Aligned	SKILL.md line 4: '支持浏览器截图' but no browser automation code in any .py file
Database	`NONE`	`NONE`	—	No database access

2 findings

🔗

Medium External URL 外部 URL

https://grafana/d/

SKILL.md:68

🔗

Medium External URL 外部 URL

http://127.0.0.1:3000

scripts/config.json:2

File Tree

7 files · 29.4 KB · 929 lines

Python 3f · 800L Markdown 2f · 108L JSON 2f · 21L

├─ ▾ 📁 scripts

│ ├─ 🐍 api_inspect.py Python 334L · 11.5 KB

│ ├─ 📋 config.example.json JSON 13L · 296 B

│ ├─ 🔑 config.json ⚠ JSON 8L · 178 B

│ ├─ 🐍 inspection_report.py Python 395L · 12.8 KB

│ └─ 🐍 main.py Python 71L · 2.1 KB

├─ 📝 README.md Markdown 12L · 528 B

└─ 📝 SKILL.md Markdown 96L · 2.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unspecified`	import	No	No requirements.txt or version pin; library used in api_inspect.py and inspection_report.py

Security Positives

✓ All network operations are directed at the user-configured Grafana URL, which is expected behavior

✓ No credential harvesting — API key is used as Bearer token for legitimate Grafana API calls

✓ No obfuscation techniques (base64, eval, atob) found

✓ No subprocess/shell execution detected

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No data exfiltration — all results are written to local files only

✓ No persistence mechanisms (cron, startup hooks, backdoors) detected

✓ No prompt injection instructions found

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives