grafana-inspector 安全扫描报告 — 低风险 | ClawSafe

20 /100

grafana-inspector

Grafana 自动化巡检技能。支持浏览器截图 + API 数据巡检，多仪表盘批量巡检，自动发现仪表盘

Grafana automation inspection skill with legitimate API-based monitoring behavior; minor documentation inconsistency (browser screenshot mentioned but not implemented) and SSL verification disabled, but no malicious functionality detected.

技能名称grafana-inspector

分析耗时37.3s

引擎pi

✓

可以安装

Pin the requests library version, enable SSL verification (remove verify=False), and align SKILL.md documentation with actual implementation to eliminate misleading descriptions.

安全发现 3 项

严重性	安全发现	位置
低危	Documentation claims browser screenshot capability not implemented 文档欺骗 SKILL.md advertises '支持浏览器截图 + API 数据巡检' but no browser automation code (Selenium, Playwright, Puppeteer) exists in any Python file. All inspection is purely API-based. This is a doc-to-code mismatch. `支持浏览器截图 + API 数据巡检` → Remove browser screenshot claims from documentation or implement the actual feature.	`SKILL.md:4`
中危	SSL verification disabled in HTTP requests 敏感访问 inspection_report.py sets verify=False in all requests.get() calls, disabling SSL certificate validation and exposing API communications to man-in-the-middle attacks. `verify=False` → Remove verify=False or set verify=True. If self-signed certs are needed, explicitly point to the cert file.	`scripts/inspection_report.py:77`
低危	No pinned dependency versions 供应链 The skill uses the requests library but does not specify a version or pin it in any dependency file. This allows potentially vulnerable versions to be installed. `import requests` → Add a requirements.txt or pyproject.toml with pinned versions, e.g., requests>=2.31.0.	`scripts/api_inspect.py:6`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	scripts/api_inspect.py:26 requests.get(...)
文件系统	`WRITE`	`WRITE`	✓ 一致	scripts/main.py:53 open(json_path, 'w')
命令执行	`NONE`	`NONE`	—	No subprocess/shell calls found
环境变量	`NONE`	`NONE`	—	No os.environ access
技能调用	`NONE`	`NONE`	—	No skill_invoke calls found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`READ`	`NONE`	✓ 一致	SKILL.md line 4: '支持浏览器截图' but no browser automation code in any .py file
数据库	`NONE`	`NONE`	—	No database access

2 项发现

🔗

中危外部 URL 外部 URL

https://grafana/d/

SKILL.md:68

🔗

中危外部 URL 外部 URL

http://127.0.0.1:3000

scripts/config.json:2

目录结构

7 文件 · 29.4 KB · 929 行

Python 3f · 800L Markdown 2f · 108L JSON 2f · 21L

├─ ▾ 📁 scripts

│ ├─ 🐍 api_inspect.py Python 334L · 11.5 KB

│ ├─ 📋 config.example.json JSON 13L · 296 B

│ ├─ 🔑 config.json ⚠ JSON 8L · 178 B

│ ├─ 🐍 inspection_report.py Python 395L · 12.8 KB

│ └─ 🐍 main.py Python 71L · 2.1 KB

├─ 📝 README.md Markdown 12L · 528 B

└─ 📝 SKILL.md Markdown 96L · 2.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`unspecified`	import	否	No requirements.txt or version pin; library used in api_inspect.py and inspection_report.py

安全亮点

✓ All network operations are directed at the user-configured Grafana URL, which is expected behavior

✓ No credential harvesting — API key is used as Bearer token for legitimate Grafana API calls

✓ No obfuscation techniques (base64, eval, atob) found

✓ No subprocess/shell execution detected

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No data exfiltration — all results are written to local files only

✓ No persistence mechanisms (cron, startup hooks, backdoors) detected

✓ No prompt injection instructions found