← 返回 Skills 市场
Observability Lgtm
作者
Nissan Dookeran
· GitHub ↗
· v1.2.0
499
总下载
0
收藏
1
当前安装
5
版本数
在 OpenClaw 中安装
/install observability-lgtm
功能描述
Set up a full local LGTM observability stack (Loki + Grafana + Tempo + Prometheus + Alloy) for FastAPI apps. One Docker Compose, one Python import, unified d...
安全使用建议
This skill largely does what it says: it gives you a local Grafana+Prometheus+Loki+Tempo stack and a small Python helper to instrument FastAPI apps. Before installing, check these operational issues: 1) The docker-compose references ./config/alloy/config.alloy but that file is not present in the package — you must supply or remove the Alloy service to avoid startup failure. 2) The SKILL.md claims 'no outbound network calls' but docker compose up will pull container images from registries (ensure your machine can fetch Docker images). 3) The copy example uses SKILL_DIR as a placeholder; adapt it to the actual skill path when copying files. 4) Grafana is configured to allow anonymous Admin access for local dev — this is convenient but exposes an admin UI on the host network port (3000); ensure your machine firewall/networking is configured appropriately if you're on an untrusted network. 5) The register_app.sh writes targets into the local prometheus targets directory (intended behavior) — ensure file permissions allow writing and that the ./config/prometheus/targets directory exists. If you want to proceed: add or provide the missing Alloy config, confirm Docker can pull images, and review the included docker-compose.yml and Python logging paths to ensure they match your desired workspace layout.
功能分析
Type: OpenClaw Skill
Name: observability-lgtm
Version: 1.2.0
The skill bundle aims to set up a local observability stack, and its declared intent (`network: outbound: false`) is upheld by the code, with all network calls directed to localhost or host.docker.internal. However, the `assets/scripts/register_app.sh` script and the `assets/lib/observability.py` library both exhibit path traversal vulnerabilities. Specifically, the `service_name` parameter, if user-controlled and unsanitized, could allow an attacker to write Prometheus target configuration files or log directories/files to arbitrary locations on the host filesystem. While the content written is benign (Prometheus config, JSON logs), the ability to write to arbitrary paths is a significant vulnerability, classifying the skill as suspicious rather than benign.
能力评估
Purpose & Capability
Name/description, required binaries (docker, docker-compose), included Docker Compose and a FastAPI Python library align with the stated goal of a local LGTM stack. However, docker-compose references an Alloy config at ./config/alloy/config.alloy which is not present in the provided file manifest — this will cause the stack to fail unless the file is added. Also the SKILL.md copy commands use a placeholder SKILL_DIR which is not defined; the user must adapt that when copying files.
Instruction Scope
Runtime instructions stay within the stated purpose (copy files into a workspace, start docker compose, install Python deps, instrument FastAPI, register apps). Minor scope issues: SKILL.md states 'no outbound network calls' while docker compose up will pull container images from registries (network outbound required). The instructions assume certain directories exist (e.g., config/prometheus/targets) and use a SKILL_DIR placeholder; these are usability mismatches rather than malicious behavior.
Install Mechanism
There is no separate install spec (instruction-only), which reduces risk. The stack relies on official container images (grafana, prom, loki, tempo, alloy) pulled by docker compose; that requires outbound network access to Docker registries. No arbitrary remote download URLs or extract operations are present in the skill bundle itself.
Credentials
The skill does not request secrets or credentials. The included Python code optionally reads OPENCLAW_LOG_DIR and OTLP_ENDPOINT (both optional and defaulted) but these are not required inputs. No unrelated credentials or config paths are requested.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It writes files into the user workspace (projects/observability) and the register_app.sh writes JSON to the local config/prometheus/targets directory — both are expected for this functionality. It does not modify other skill configs or request long-term platform presence.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install observability-lgtm - 安装完成后,直接呼叫该 Skill 的名称或使用
/observability-lgtm触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Added network disclosure (no outbound), docker in bins
v1.1.0
Updates and fixes
v1.0.2
Fix: homepage now points to public GitHub repo
v1.0.1
Initial publish: LGTM stack (Loki+Grafana+Tempo+Prometheus+Alloy) for FastAPI on Apple Silicon. One Docker Compose, one Python import, unified Grafana dashboards.
v1.0.0
Initial release: LGTM stack (Loki+Grafana+Tempo+Prometheus+Alloy) for FastAPI on Apple Silicon. One Docker Compose, one Python import.
元数据
常见问题
Observability Lgtm 是什么?
Set up a full local LGTM observability stack (Loki + Grafana + Tempo + Prometheus + Alloy) for FastAPI apps. One Docker Compose, one Python import, unified d... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 499 次。
如何安装 Observability Lgtm?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install observability-lgtm」即可一键安装,无需额外配置。
Observability Lgtm 是免费的吗?
是的,Observability Lgtm 完全免费(开源免费),可自由下载、安装和使用。
Observability Lgtm 支持哪些平台?
Observability Lgtm 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Observability Lgtm?
由 Nissan Dookeran(@nissan)开发并维护,当前版本 v1.2.0。
推荐 Skills