UniFi Advisor
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill lets the assistant read UniFi network state available to the API key, including sites, devices, clients, firewall policies, VPN information, and related configuration.
The skill needs a UniFi API key and can read account-wide UniFi inventory and configuration data. This is expected for the stated advisor purpose, but it is sensitive delegated access.
Env vars needed: UNIFI_API_KEY ... All UniFi OS consoles on the UI account ... All sites across all consoles
Use the least-privileged UniFi API key available, prefer read-only scope if UniFi supports it, and install only if you are comfortable with the assistant viewing this network information.
Basic UniFi site metadata such as labels, host IDs, state, firmware, timezone, and IP address may remain on disk briefly after use.
The script writes a local cache containing discovered UniFi site and host metadata, then reuses it for up to 15 minutes. This is disclosed and bounded, but it persists sensitive network context locally.
CACHE_FILE = Path.home() / ".unifi-skill.json" ... CACHE_TTL = 900 ... CACHE_FILE.write_text(json.dumps({"library": library, "updatedAt": time.time()}, indent=2))Be aware of the cache at ~/.unifi-skill.json, protect the local user account, and delete the cache if you do not want UniFi site metadata retained.
Users have less external context for verifying who maintains the skill or comparing the installed script against an upstream repository.
The package provenance is not clearly linked to a public source or homepage. The provided artifacts do not show malicious behavior, but provenance matters more for a skill that handles an API key.
Source: unknown; Homepage: none
Review the included script before installation and prefer installing from a trusted publisher or verifiable source when handling production network credentials.