grafana-oss

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains multiple examples that embed plaintext secrets and tokens (smtp/db passwords, client_secret, admin_password, and a curl Authorization: Bearer header), which would lead an agent to include secret values verbatim in generated configs/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md "Creating Dashboards / Import" flow explicitly allows entering a Grafana.com dashboard ID or pasting/uploading arbitrary dashboard JSON (grafana.com/grafana/dashboards), meaning the agent would fetch/ingest untrusted, user-generated third‑party content that can modify dashboards, alerts, links, and subsequent actions.