Back to skill

Security audit

Mikrotik RouterOS

Security checks across malware telemetry and agentic risk

Overview

This is a real MikroTik router-management skill, but it gives an agent broad router-control and credential-handling authority without enough safeguards.

Install only if you intentionally want an agent to administer MikroTik routers. Use a least-privilege RouterOS account, avoid CLI password arguments and plaintext TOOLS.md secrets, prefer a trusted network or a TLS-capable client, and require explicit human approval before scans, backups, cleanup, custom commands, reboot, shutdown, or configuration changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _get_mac_from_arp(self, ip):
        """Try to get MAC address from system ARP table"""
        try:
            output = subprocess.check_output(f"arp -a {ip}", shell=True).decode('gbk', errors='ignore')
            match = re.search(r'([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})', output)
            if match:
                return match.group(0).replace('-', ':').lower()
Confidence
98% confidence
Finding
output = subprocess.check_output(f"arp -a {ip}", shell=True).decode('gbk', errors='ignore')

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The login() method effectively treats any non-None response as successful authentication, even if the server returned an error or malformed reply. This can cause the client to operate under a false authenticated state, leading to unauthorized command attempts, broken security assumptions, and potentially dangerous automation decisions if downstream code assumes login success implies trusted access.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module is framed as a collection of common wrappers, but it exposes destructive device-control operations (`/system/reboot` and `/system/shutdown`) alongside read-only status queries without any safety boundary, privilege gating, or explicit hazardous labeling. In an agent skill context, this increases the chance that higher-level automation or an unsuspecting user invokes disruptive operations as if they were ordinary inspection commands, causing avoidable denial of service on network infrastructure.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises many broad natural-language triggers such as generic networking, firewall, logs, routing, scan, and status queries. Because these overlap with common admin/helpdesk requests, the skill can be invoked unintentionally and gain access to sensitive network-management actions, including device interrogation, scanning, backups, and custom RouterOS command execution. In this context, the presence of high-impact capabilities makes ambiguous triggering more dangerous than in a read-only informational skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accepting router credentials via command-line arguments exposes secrets through shell history, process listings, audit logs, and terminal recording tools. On multi-user systems or monitored environments, other users or software may recover the password and gain unauthorized access to the RouterOS device.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The login() function sends the password directly over the RouterOS API connection, and the default port is 8728, which is typically unencrypted. This exposes credentials to interception by anyone able to observe network traffic, making credential theft and subsequent device compromise realistic in nontrusted networks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `reboot` wrapper directly issues `/system/reboot` with no confirmation, dry-run option, policy check, or user-visible warning. In an automated agent environment, a single mistaken invocation can immediately interrupt routing, firewalling, and management access, creating a preventable service outage.

Missing User Warnings

High
Confidence
98% confidence
Finding
The `shutdown` wrapper issues `/system/shutdown` immediately and lacks any confirmation or safety interlock. Because this targets a router or network device, accidental or unauthorized use can fully take the device offline until manual recovery or power intervention, making the operational impact more severe than a reboot.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.