grafana-assistant-cli
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references official pre-built binaries and Docker images hosted on Grafana's public GitHub repositories (
github.com/grafana/assistant-cli). - [COMMAND_EXECUTION]: Includes commands to manage system services, such as
grafana-assistant tunnel daemon install, which configures the tool to run as a persistent background process. - [COMMAND_EXECUTION]: The
assistant tunnelfeature allows a remote Grafana Assistant service to execute terminal commands on the local machine when the terminal tool is enabled. The tool documentation notes the existence of deny-lists for dangerous commands. - [DATA_EXFILTRATION]: The
assistant tunnelfeature provides a mechanism for a remote service to read files from the local filesystem within specified project paths. It includes built-in blocks for sensitive directories like.ssh,.aws, and.env. - [CREDENTIALS_UNSAFE]: The documentation describes standard practices for managing service account tokens using environment variables (
GRAFANA_SA_TOKEN) or configuration files. No hardcoded credentials or secrets were found in the skill text. - [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes untrusted data from external sources (logs, metrics, traces).
- Ingestion points: Ingests data from Grafana datasources and local project files via the tunnel.
- Boundary markers: Employs configurable allow/deny lists for both filesystem paths and terminal commands to limit the scope of remote actions.
- Capability inventory: The tool can execute subprocesses via the terminal tool and read local files via the filesystem tool.
- Sanitization: Uses internal block-lists for sensitive files and dangerous shell commands.
Audit Metadata