Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
EZ Unifi
v1.0.1Use when asked to manage UniFi network - list/restart/upgrade devices, block/unblock clients, manage WiFi networks, control PoE ports, manage traffic rules, create guest vouchers, or any UniFi controller task. Works with UDM Pro/SE, Dream Machine, Cloud Key Gen2+, or self-hosted controllers.
⭐ 0· 2k·2 current·2 all-time
by@araa47
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's functionality (UniFi management) matches the name and description — the code uses aiounifi and exposes appropriate controller operations. However, the registry declares no required environment variables or primary credential, while the SKILL.md and script clearly require UNIFI_HOST, UNIFI_USERNAME, and UNIFI_PASSWORD (and optionally UNIFI_SITE, UNIFI_IS_UDM). The metadata omission is an incoherence that should be corrected.
Instruction Scope
The SKILL.md stays within the stated purpose and gives explicit CLI usage. It instructs the user to create a dedicated local admin account and to save controller credentials to a .env file. This is expected for controller management, but it also requests a Super Admin (or Site Admin) account — a high privilege level — and directs storing plaintext credentials locally, which broadens the risk profile.
Install Mechanism
There is no install spec (instruction-only skill) and no external downloads; the script lists Python dependencies in comments but does not attempt remote installs. This is lower risk from an installation perspective, but users must manually install/verify the declared dependencies.
Credentials
The skill requires direct controller credentials (UNIFI_HOST, UNIFI_USERNAME, UNIFI_PASSWORD) but the registry metadata does not declare them. Asking for Super Admin credentials is high privilege; while many actions require admin rights, the request should be explicit in metadata. The SKILL.md recommends saving credentials to an unencrypted .env file, which is insecure. The code also disables SSL verification (ssl_context=False) to accept self-signed certs, reducing TLS protection.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. However, because it can be invoked autonomously (default) and would hold network-admin credentials, an agent could make changes without interactive confirmation; users should be comfortable with that level of autonomous access before enabling the skill.
What to consider before installing
This skill looks like a real UniFi management tool, but there are a few red flags to consider before installing: (1) the registry metadata does not declare the UNIFI_* environment variables that the script and SKILL.md require — confirm where credentials will be stored and why the metadata omits them; (2) the skill asks you to create/use a Super Admin account and to store the password in a plaintext .env file — prefer a least-privilege account if possible, use a dedicated account, and avoid long-term plaintext storage; (3) the code disables SSL verification (accepts self-signed certs) which weakens TLS checks — consider securing your controller certificate instead of disabling verification; (4) because the agent can invoke this skill autonomously and it has network-admin credentials, limit who/what can call it and consider interactive-only invocation if you want manual approval for destructive actions; (5) review the full script yourself (or have a trusted admin do so) for any hidden network calls or telemetry before providing credentials, and rotate the account password after initial setup. If you can't inspect the code or confirm the author, treat the skill as higher risk and avoid providing high-privilege credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk977q5kaswtn9nk71dej1g10d580c7x2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📶 Clawdis