EZ Unifi
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad agent action could restart devices, change network behavior, disconnect clients, or alter controller settings.
The skill exposes a raw UniFi API command path in addition to higher-level commands. With admin credentials, this can bypass safer scoped workflows and perform arbitrary controller operations.
uv run unifi.py raw POST /cmd/devmgr '{"cmd":"restart","mac":"..."}'Use only with explicit user requests, require confirmation before disruptive changes, and consider removing or restricting raw API access unless the user specifically needs it.
If used on an untrusted network or with a spoofed controller address, UniFi admin credentials could be exposed or misused.
The script reads a stored UniFi controller password and logs in with certificate verification disabled. This is understandable for local self-signed UniFi controllers, but it weakens protection for powerful admin credentials.
password = os.environ.get("UNIFI_PASSWORD", "") ... ssl_context=False, # Disable SSL verification for self-signed certsUse a dedicated least-privilege local account, store credentials carefully, restrict access to the `.env` file, and prefer trusted controller certificates or a trusted local network.
The agent may be able to manage or disrupt much of the UniFi network depending on the account role.
The skill openly asks for a high-privilege UniFi account. This is aligned with network administration, but users should recognize that these credentials authorize major controller changes.
Set Role to **Super Admin** or **Site Admin** ... Then provide: - Controller IP ... - Username - Password
Prefer Site Admin over Super Admin where possible, create a dedicated account for this skill, and disable or remove the account when no longer needed.
Future dependency changes could alter behavior or introduce vulnerabilities even if the skill file itself stays the same.
The script declares runtime Python dependencies with lower-bound version ranges and no lockfile shown. This is normal for a lightweight Python CLI, but it means installs may pull newer dependency versions from the package index.
dependencies = [ # "aiounifi>=88", # "aiohttp>=3.9.0", # "python-dotenv>=1.0.0", # ]
Use a trusted environment, consider pinning dependency versions, and review dependency provenance before using the skill on production networks.