grafana-assistant-cli

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill references official pre-built binaries and Docker images hosted on Grafana's public GitHub repositories (github.com/grafana/assistant-cli).
  • [COMMAND_EXECUTION]: Includes commands to manage system services, such as grafana-assistant tunnel daemon install, which configures the tool to run as a persistent background process.
  • [COMMAND_EXECUTION]: The assistant tunnel feature allows a remote Grafana Assistant service to execute terminal commands on the local machine when the terminal tool is enabled. The tool documentation notes the existence of deny-lists for dangerous commands.
  • [DATA_EXFILTRATION]: The assistant tunnel feature provides a mechanism for a remote service to read files from the local filesystem within specified project paths. It includes built-in blocks for sensitive directories like .ssh, .aws, and .env.
  • [CREDENTIALS_UNSAFE]: The documentation describes standard practices for managing service account tokens using environment variables (GRAFANA_SA_TOKEN) or configuration files. No hardcoded credentials or secrets were found in the skill text.
  • [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes untrusted data from external sources (logs, metrics, traces).
  • Ingestion points: Ingests data from Grafana datasources and local project files via the tunnel.
  • Boundary markers: Employs configurable allow/deny lists for both filesystem paths and terminal commands to limit the scope of remote actions.
  • Capability inventory: The tool can execute subprocesses via the terminal tool and read local files via the filesystem tool.
  • Sanitization: Uses internal block-lists for sensitive files and dangerous shell commands.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 10:14 AM
Security Audit — agent-trust-hub — grafana-assistant-cli