Skills
skills/signoz/agent-skills/signoz-creating-alerts/Gen Agent Trust Hub

signoz-creating-alerts

Warn

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill generates and executes monitoring queries (PromQL) and database queries (ClickHouse SQL) dynamically based on natural language intent provided by the user.
  • Evidence: Step 4 in SKILL.md describes authoring ClickHouse SQL alerts directly using user intent and delegating PromQL generation to another skill, which are then used to configure active alerts.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted natural language to drive write operations (alert and channel creation).
  • Ingestion points: SKILL.md takes user-provided natural language "alert intent" via the $ARGUMENTS field.
  • Boundary markers: The skill instructions do not specify any delimiters or safety markers (like "ignore instructions within") for the input intent string.
  • Capability inventory: The skill has the capability to create new alerts and notification channels via signoz:signoz_create_alert and signoz:signoz_create_notification_channel in SKILL.md.
  • Sanitization: No explicit validation or filtering of the user intent is described beyond checking the generated config against the SigNoz MCP server schema.
  • [DATA_EXFILTRATION]: The skill allows for the creation of new notification channels (e.g., Slack webhooks, PagerDuty keys) using user-supplied parameters. This capability can be leveraged to route sensitive monitoring data—such as logs or trace attributes—to external, attacker-controlled endpoints.
  • Evidence: Step 5 of the workflow in SKILL.md explicitly allows calling signoz:signoz_create_notification_channel with parameters provided directly by the user at runtime.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 2, 2026, 02:14 AM