LibreNMS
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: librenms Version: 1.0.0 The skill is classified as suspicious primarily due to the use of `curl -k` in `scripts/librenms.sh`, which disables SSL/TLS certificate validation. While this is explicitly documented in `SKILL.md` and `README.md` as a feature for self-signed certificates, it introduces a significant man-in-the-middle (MITM) vulnerability. Additionally, user-provided hostnames are directly incorporated into API call URLs (e.g., `/devices/$hostname`), which could pose a risk if the LibreNMS API backend is vulnerable to URL path injection, though the script itself does not maliciously craft these inputs. There is no evidence of intentional malicious behavior, data exfiltration, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the configured token may be able to view LibreNMS monitoring data, and possibly more depending on how the token is scoped in LibreNMS.
The script reads a LibreNMS API token from local configuration or environment variables and uses it as an authentication header. This is expected for the integration, but it is still delegated account/API access.
API_TOKEN=$(jq -r '.api_token' "$config_file") ... -H "X-Auth-Token: $API_TOKEN"
Use a least-privileged LibreNMS API token intended for monitoring, keep the config file permissions restrictive, and rotate the token if it is shared or exposed.
On an untrusted or intercepted network, the API token and monitoring data could be exposed to the wrong server or a man-in-the-middle.
The -k option disables TLS certificate verification while the API token is sent to the configured LibreNMS URL. SKILL.md discloses this self-signed-certificate behavior, but it weakens server identity verification.
response=$(curl -sk ... -H "X-Auth-Token: $API_TOKEN" ... "$url" 2>&1)
Prefer a LibreNMS instance with a valid TLS certificate and remove the -k flag if strict certificate validation is possible.
It may be harder to confirm the maintainer, update source, or dependency expectations before installing.
The skill's provenance and registry setup information are limited. This is not evidence of malicious behavior because the included artifacts are coherent, but it reduces independent verifiability.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Inspect the included script, install only from a source you trust, and ensure curl/jq are installed from your normal package manager.