UniFi Advisor
ReviewAudited by ClawScan on May 8, 2026.
Overview
The skill appears to be a coherent read-only UniFi advisor, but it requires a UniFi API key and locally caches some network metadata.
This skill appears safe for its stated read-only UniFi advisory purpose. Before installing, confirm you trust the publisher, use the least-privileged UniFi API key available, remember that the assistant may see sensitive network details, and specify the intended site when asking questions in multi-site environments.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill lets the assistant read UniFi network state available to the API key, including sites, devices, clients, firewall policies, VPN information, and related configuration.
The skill needs a UniFi API key and can read account-wide UniFi inventory and configuration data. This is expected for the stated advisor purpose, but it is sensitive delegated access.
Env vars needed: UNIFI_API_KEY ... All UniFi OS consoles on the UI account ... All sites across all consoles
Use the least-privileged UniFi API key available, prefer read-only scope if UniFi supports it, and install only if you are comfortable with the assistant viewing this network information.
Basic UniFi site metadata such as labels, host IDs, state, firmware, timezone, and IP address may remain on disk briefly after use.
The script writes a local cache containing discovered UniFi site and host metadata, then reuses it for up to 15 minutes. This is disclosed and bounded, but it persists sensitive network context locally.
CACHE_FILE = Path.home() / ".unifi-skill.json" ... CACHE_TTL = 900 ... CACHE_FILE.write_text(json.dumps({"library": library, "updatedAt": time.time()}, indent=2))Be aware of the cache at ~/.unifi-skill.json, protect the local user account, and delete the cache if you do not want UniFi site metadata retained.
Users have less external context for verifying who maintains the skill or comparing the installed script against an upstream repository.
The package provenance is not clearly linked to a public source or homepage. The provided artifacts do not show malicious behavior, but provenance matters more for a skill that handles an API key.
Source: unknown; Homepage: none
Review the included script before installation and prefer installing from a trusted publisher or verifiable source when handling production network credentials.