LibreNMS
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent read-only LibreNMS monitoring wrapper, but it relies on a local API token and disables TLS certificate verification by default.
Before installing, verify you trust the skill source, configure a least-privileged LibreNMS token, restrict permissions on the local config file, and consider removing curl's -k flag or using a valid TLS certificate for your LibreNMS instance.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the configured token may be able to view LibreNMS monitoring data, and possibly more depending on how the token is scoped in LibreNMS.
The script reads a LibreNMS API token from local configuration or environment variables and uses it as an authentication header. This is expected for the integration, but it is still delegated account/API access.
API_TOKEN=$(jq -r '.api_token' "$config_file") ... -H "X-Auth-Token: $API_TOKEN"
Use a least-privileged LibreNMS API token intended for monitoring, keep the config file permissions restrictive, and rotate the token if it is shared or exposed.
On an untrusted or intercepted network, the API token and monitoring data could be exposed to the wrong server or a man-in-the-middle.
The -k option disables TLS certificate verification while the API token is sent to the configured LibreNMS URL. SKILL.md discloses this self-signed-certificate behavior, but it weakens server identity verification.
response=$(curl -sk ... -H "X-Auth-Token: $API_TOKEN" ... "$url" 2>&1)
Prefer a LibreNMS instance with a valid TLS certificate and remove the -k flag if strict certificate validation is possible.
It may be harder to confirm the maintainer, update source, or dependency expectations before installing.
The skill's provenance and registry setup information are limited. This is not evidence of malicious behavior because the included artifacts are coherent, but it reduces independent verifiability.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Inspect the included script, install only from a source you trust, and ensure curl/jq are installed from your normal package manager.