query-metrics
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill makes authenticated requests to official Axiom API endpoints (api.axiom.co and regional edge domains like *.edge.axiom.co) to fetch metrics and dataset metadata. These operations are essential for the skill's primary functionality and target legitimate vendor infrastructure.
- [COMMAND_EXECUTION]: Shell scripts utilize standard system utilities including curl, jq, and awk to interact with APIs and process results. The scripts implement safe practices such as using arrays for curl arguments and the --arg flag in jq to prevent injection vulnerabilities during data processing.
- [CREDENTIALS_UNSAFE]: The skill reads API tokens and organization IDs from a local configuration file (~/.axiom.toml). This approach aligns with industry standards for secure credential management in CLI tools and avoids the risks associated with hardcoded secrets or environment variable exposure.
- [PROMPT_INJECTION]: The skill processes external data from metrics datasets and tag values. While this represents a theoretical surface for indirect prompt injection, the risk is minimal given the structured nature of the data and its context within monitoring workflows. 1. Ingestion points: scripts/axiom-api (API responses), scripts/datasets, scripts/metrics-info. 2. Boundary markers: Absent (standard JSON display). 3. Capability inventory: curl (network), jq (JSON), awk/sed (parsing), chmod (setup). 4. Sanitization: Utilizes jq for structured data extraction and display.
Audit Metadata