signoz-creating-alerts

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires the agent to accept secret-bearing channel config (Slack webhook URLs, PagerDuty integration keys) and pass them verbatim to the signoz:signoz_create_notification_channel tool call, so the LLM must handle and include secret values in its generated tool-call payloads (even though the prompt forbids echoing them in chat).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The required workflow ingests outsider-authored free text via the user’s natural-language intent (e.g., $ARGUMENTS / recent user turn), which is not authored by the operating user’s organization and is then placed into the agent’s LLM context for parsing and preview generation.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs at runtime to read MCP resources signoz://alert/instructions and signoz://alert/examples to obtain the canonical alert schema and examples, which are fetched during execution and directly control how the agent composes alert payloads, so these signoz:// URLs are runtime external dependencies that influence agent instructions.