// SCAN REPORT

Grafana

29 tools. 4 can modify or destroy data without limits.

4 write tools that can modify data. Rate limits recommended.

Last updated:

4 can modify or destroy data
25 read-only
29 tools total
// TOOL MAP
Read (25) Write / Execute (4) Destructive / Financial (0)
// WHAT CAN GO WRONG

Write operations (create_alert_rule, create_incident, patch_dashboard) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

One command. Full control.

Intercept sits between your agent and Grafana. Every tool call checked against your policy before it executes — so your agent can do its job without breaking things.

npx -y @policylayer/intercept scan -- npx -y @grafana/mcp-grafana
Scans every tool. Generates a policy. Starts enforcing.
Works with Claude Code · Cursor · Claude Desktop · Windsurf · any MCP client
// RECOMMENDED RULES
Rate limit write operations
create_alert_rule:
  rules:
    - rate_limit: 30/hour

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
generate_deeplinks:
  rules:
    - rate_limit: 60/minute

Controls API costs and prevents retry loops from exhausting upstream rate limits.

// ALL 29 GRAFANA TOOLS
WRITE 4 tools
Write create_alert_rule Write create_incident Write patch_dashboard Write update_dashboard
READ 25 tools
Read generate_deeplinks Read get_dashboard_by_uid Read get_dashboard_panel_queries Read get_dashboard_property Read get_dashboard_summary Read get_datasource Read get_panel_image Read get_query_examples Read get_role_details Read list_alert_rules Read list_all_roles Read list_annotations Read list_cloudwatch_namespaces Read list_datasources Read list_incidents Read list_loki_label_names Read list_prometheus_metric_names Read list_teams Read list_users_by_org Read query_clickhouse Read query_cloudwatch Read query_elasticsearch Read query_loki_logs Read query_prometheus Read search_dashboards
// FAQ
How do I prevent bulk modifications through Grafana? +

The Grafana server has 4 write tools including create_alert_rule, create_incident, patch_dashboard. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the Grafana MCP server expose? +

29 tools across 2 categories: Read, Write. 25 are read-only. 4 can modify, create, or delete data.

How do I add Intercept to my Grafana setup? +

One line change. Instead of running the Grafana server directly, prefix it with Intercept: intercept -c grafana.yaml -- npx -y @@grafana/mcp-grafana. Download a pre-built policy from policylayer.com/policies/grafana and adjust the limits to match your use case.

policylayer/intercept

Control every MCP tool call
your agent makes.

Set budgets, approvals, and hard limits across MCP servers.

npx -y @policylayer/intercept init
Protect your agent in 30 seconds. Scans your MCP config and generates enforcement policies for every server.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.