← 返回 Skills 市场
Promql Validator
作者
qq280948982
· GitHub ↗
· v0.1.0
· MIT-0
240
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install promql-validator
功能描述
Validate, lint, audit, or fix PromQL queries and alerting rules; detects anti-patterns.
安全使用建议
What to check before installing/running this skill:
- Review the included Python scripts yourself (validate_syntax.py, check_best_practices.py, test_validators.py). They appear to be static PromQL analyzers and the provided excerpts show no network calls or obfuscated code, but you should still inspect the full sources.
- The SKILL.md expects to run commands that use python3 and git and to be executed from the repository root. The skill metadata does not declare these binaries; ensure your environment has python3 and git or ask the author to declare them. Prefer running the scripts with absolute paths to the skill folder instead of cd'ing to repo root to limit file access.
- Because the instructions tell the agent to use git rev-parse --show-toplevel (and to cite lines from repository files), the skill may read arbitrary files in whatever repository the agent runs in. If you run this in a repository containing secrets, run the skill in an isolated/sandboxed environment or a copy of the repo without sensitive data.
- Run the test suite locally (scripts/test_validators.py) before granting the agent autonomy. That will show what outputs the scripts produce and help you validate they behave as expected.
- If you plan to allow autonomous invocation, consider restricting its scope (or require manual approval) because reading repository-wide files increases privacy risk. Ask the publisher to: (a) declare required binaries (python3, git) in metadata, and (b) change instructions to use absolute skill paths or limit file access to the skill's folder to avoid accidental exposure of unrelated repository contents.
功能分析
Type: OpenClaw Skill
Name: promql-validator
Version: 0.1.0
The skill provides PromQL validation and linting using local Python scripts. It is classified as suspicious because the instructions in SKILL.md direct the AI agent to execute shell commands using unsanitized user input (the "<query>" parameter), which constitutes a shell injection vulnerability. While the underlying Python scripts (validate_syntax.py and check_best_practices.py) are well-documented, include a test suite (test_validators.py), and perform only safe regex-based analysis without dangerous imports or network access, the instruction pattern itself creates a high-risk surface for prompt injection attacks against the agent.
能力评估
Purpose & Capability
The name/description (PromQL validation, linting, anti-pattern detection) aligns with the included Python scripts (validate_syntax.py, check_best_practices.py, tests). However the SKILL.md assumes runtime tools/paths (python3, git and a repo layout like devops-skills-plugin/skills/promql-validator/scripts/...) while the skill metadata declares no required binaries or env vars. That mismatch (scripts will be executed but runtime requirements are not declared) is an inconsistency users should be aware of.
Instruction Scope
Runtime instructions instruct the agent to cd to the repository root via git rev-parse --show-toplevel and to cite files with file path + line numbers. That requires reading files in the repository (docs/, examples, etc.) and possibly files outside the skill folder. The scripts themselves appear to be local static analyzers and (based on provided sources) do not perform network I/O or credential access, but the 'run from repo root' requirement widens the read surface and could cause the agent to access arbitrary repo files. The two-phase STOP/WAIT flow is sensible and limits automatic changes, which is good.
Install Mechanism
There is no install spec (instruction-only install), which is low risk. But code files are included and the SKILL.md instructs running them with python3. The skill metadata did not declare python3 or git as required binaries; that omission is a mismatch to the runtime commands. Because the code will be executed directly, verify the runtime interpreter (python3) and that the files are trusted.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The provided scripts operate on query strings and local file contents only, so no extra secrets appear to be required.
Persistence & Privilege
always:false and no install scripts are present. The skill does not request persistent or system-level privileges and does not modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation:false) is allowed by default; this is normal but increases runtime blast radius if combined with other issues (none detected here).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install promql-validator - 安装完成后,直接呼叫该 Skill 的名称或使用
/promql-validator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release with multi-level PromQL validation, explanation, and workflow guidance:
- Validates PromQL syntax and semantics, detecting common mistakes and anti-patterns.
- Suggests optimizations and best practices for efficient query writing.
- Explains PromQL queries in plain English, including output labels and structure.
- Provides step-by-step interactive planning to align queries with user intent.
- Includes citation-based recommendations referencing examples and documentation.
元数据
常见问题
Promql Validator 是什么?
Validate, lint, audit, or fix PromQL queries and alerting rules; detects anti-patterns. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 240 次。
如何安装 Promql Validator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install promql-validator」即可一键安装,无需额外配置。
Promql Validator 是免费的吗?
是的,Promql Validator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Promql Validator 支持哪些平台?
Promql Validator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Promql Validator?
由 qq280948982(@qq280948982)开发并维护,当前版本 v0.1.0。
推荐 Skills