ClawHub
Back to skill

Security audit

Mikrotik Routeros

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate router-management skill, but it includes risky production-network examples that need manual review before use.

Install only if you intentionally want an agent to assist with real MikroTik/VSOL administration. Use least-privilege accounts, prefer SSH keys and TLS-validated API-SSL, avoid plaintext passwords in TOOLS.md, review every router script before applying it, disable or pin auto-updates, and avoid third-party notifications or backup uploads unless you accept the data exposure and have retention/access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill advertises broad management capabilities, but the documented behavior extends to reading ~/.openclaw/workspace/TOOLS.md for device definitions and potentially sensitive metadata that is not clearly disclosed in the top-level description. This hidden configuration source can expose credentials or host inventory unexpectedly, and the mismatch around REST/OLT support can mislead operators into unsafe trust assumptions about what the skill actually does.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads credentials from ~/.openclaw/workspace/TOOLS.md, which expands its access beyond explicit runtime parameters and environment variables into a local file that may contain other sensitive material. In a device-management skill this is risky because it silently harvests secrets from disk, and the parsing logic even accepts and uses plaintext passwords found there.

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The comment claims the code avoids reading unrelated credentials, but it calls open(tools).read() on the entire TOOLS.md before extracting the MikroTik section. This discrepancy matters because the code ingests the full contents of a potentially sensitive file into memory, increasing exposure and misleading reviewers about the actual data access behavior.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase 'any ISP infrastructure task' is excessively broad and can cause the skill to activate for unrelated or only partially related networking requests. Overbroad invocation increases the chance that high-risk operational guidance, credential handling, or destructive network commands are surfaced in the wrong context.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Generic triggers such as 'add firewall rule' and 'load balance actions' are common across many environments and may invoke this skill outside its intended MikroTik/ISP scope. In a security-sensitive admin skill, accidental activation can lead to inappropriate device-specific guidance, unsafe command suggestions, or credential requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs operators to fetch and install RouterOS scripts directly from remote URLs into /system/script and then run them, which changes device behavior immediately. Even with certificate checking, this is still a supply-chain and change-management risk because remote content can change over time, and the documentation does not warn users that they are executing unreviewed code on production routers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The daily auto-update scheduler applies remotely sourced script changes automatically at startup and every day, creating an unattended remote code execution path on infrastructure devices. In an ISP/router-management skill, this is more dangerous because changes can propagate to core network systems without review, causing outages or compromise if the upstream source or trust chain is abused.

Missing User Warnings

High
Confidence
96% confidence
Finding
The example shows backup upload configuration with credentials embedded in a URL and automated export of router backups off-device, but omits warnings about secret exposure and sensitive configuration leakage. Router backups often contain network topology, credentials, certificates, and customer-related configuration, so misuse or interception can have serious operational and privacy consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes up-hook and down-hook parameters that execute arbitrary commands on host state transitions without any warning about command execution risks. In a router automation context, operators may copy these patterns into production, where malformed or unsafe commands can disable routing, weaken firewall policy, or create persistence paths.

Missing User Warnings

High
Confidence
97% confidence
Finding
The guide instructs users to store a Telegram bot token and chat ID directly in configuration and send router notifications to a third-party messaging platform, but provides no secret-handling or data-disclosure warning. Exposure of the bot token allows message spoofing or abuse, and operational alerts sent to Telegram may leak infrastructure details outside the organization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs operators to send router identity, link names, and status changes to Telegram, WhatsApp, and Google Sheets, but it does not warn that this transmits infrastructure metadata to third-party services. In an ISP/network-operations context, those details can reveal topology, provider names, outage timing, and operational state to external platforms, increasing privacy, reconnaissance, and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document instructs operators to set the ACS URL to plain HTTP for TR-069, which exposes management traffic and device credentials/configuration metadata to interception or tampering if traversing untrusted networks. TR-069 is remote device management, so presenting it without a warning about the security implications increases the chance of insecure deployment at scale.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference explicitly instructs clearing all connection tracking entries after NAT changes without warning that this will immediately disrupt active sessions. In an ISP/router management skill, operators may copy commands directly into production devices, so omitting an impact warning increases the chance of accidental denial of service for live customer traffic.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The SSH example explicitly sets `StrictHostKeyChecking=no`, which disables host key verification and makes man-in-the-middle attacks materially easier during OLT administration. In this skill's context, operators use it to access ISP infrastructure devices over SSH, so a spoofed host could capture credentials or receive privileged configuration commands.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The default connection uses port 8728 and sends login data over a raw socket without transport security, while _login attempts plaintext authentication and legacy MD5 challenge flow. In an ISP/network-management context, these credentials can provide highly privileged access to routers, so interception on an untrusted network could lead to device takeover or broad infrastructure compromise.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
conn.disconnect()
```

### REST API (curl — ROS 7.1+)
```bash
# Use env vars — never hardcode credentials
curl -u "$MIKROTIK_USER:$MIKROTIK_PASS" \
Confidence
96% confidence
Finding
curl — ROS 7.1+) ```bash # Use env vars — never hardcode credentials curl -u "$MIKROTIK_USER:$MIKROTIK_PASS" \ --cacert /path/to/router-cert.pem \ https://$MIKROTIK_HOST/rest/ip/address # Dev/lab

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/failover-notifications.md:180