grafana-monitoring

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill documentation in SOURCE.md references the use of uvx mcp-grafana. This is a standard and safe deployment method for Python-based Model Context Protocol (MCP) servers from public registries.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) because it ingests and processes potentially untrusted external data.
  • Ingestion points: External log data and traces are ingested via grafana__query_loki_logs and grafana__tempo_get-trace tools (documented in SKILL.md and references/loki-logql.md).
  • Boundary markers: No explicit delimiter usage or instructions to ignore embedded commands are present in the skill's prompting logic.
  • Capability inventory: The skill possesses write capabilities including grafana__create_incident, grafana__create_annotation, and grafana__add_activity_to_incident (SKILL.md).
  • Sanitization: There is no evidence of sanitization or validation of the log content before it is processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 04:54 AM
Security Audit — agent-trust-hub — grafana-monitoring