Is darkstards9/grafana-plugin safe?

https://github.com/openclaw/skills/tree/main/skills/darkstards9/grafana-plugin

92
SAFE

This Grafana plugin skill appears legitimate and safe, implementing read-only access to Grafana dashboards as advertised. While it requires sensitive credentials and can access monitoring data, this is necessary for its intended functionality and no malicious behavior was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Requires sensitive Grafana credentials -10

The skill requires GRAFANA_URL, GRAFANA_USER, and GRAFANA_PASSWORD environment variables to authenticate with Grafana instances. While legitimate for the skill's purpose, these credentials provide access to potentially sensitive monitoring data.

LOW Access to monitoring data -5

The skill can read all dashboards and panel data that the provided Grafana user has access to, which may include sensitive infrastructure metrics and monitoring data.

LOW Contains executable JavaScript code -10

The skill includes JavaScript code that registers tools and makes HTTP requests. The code appears benign and implements standard plugin functionality.

INFO Standard plugin functionality -15

The skill implements exactly what it advertises - read-only access to Grafana dashboards and panels through standard HTTP API calls with proper authentication.