signoz-creating-alerts
Pass
Audited by Gen Agent Trust Hub on May 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted natural-language user intent to configure monitoring alerts and execute diagnostic queries. \n
- Ingestion points: User-supplied alert intent provided via $ARGUMENTS in SKILL.md. \n
- Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands within the user intent when interpolating it into query templates or alert configurations. \n
- Capability inventory: The skill utilizes powerful tools including signoz:signoz_execute_builder_query and signoz:signoz_create_alert to perform data probing and resource creation. \n
- Sanitization: While the skill enforces OpenTelemetry semantic conventions for attribute names, it lacks explicit sanitization or validation mechanisms to prevent malicious payloads within user-provided strings from influencing generated SQL or PromQL logic. \n- [COMMAND_EXECUTION]: The skill performs dynamic code generation (Category 10) by authoring ClickHouse SQL and PromQL queries at runtime based on user input. \n
- Evidence: Step 4 describes authoring SQL directly for custom aggregations, and Step 6 involves executing these dynamically generated queries against the database to perform a validation dry-run. This execution occurs before the alert is finalized, potentially allowing for the execution of unauthorized database operations via crafted intents.
Audit Metadata