FTTR Copilot
PassAudited by ClawScan on May 15, 2026.
Overview
The skill is a coherent FTTR Copilot cloud-control integration that uses a customer token to query device/network data and perform limited disclosed operations.
This skill appears purpose-aligned for FTTR Copilot operations. Install it only if you trust the publisher and are comfortable providing an FTTRAI customer token. Use the default HTTPS API endpoint when possible, avoid sharing the token, and explicitly confirm any alias changes before running them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill must provide a sensitive token that can access customer-bound device and network information.
The skill requires a customer bearer token, which is expected for this integration but grants access to the authenticated customer's FTTRAI cloud-control data.
FTTRAI_AUTH_TOKEN ... Customer bearer token used to call FTTRAI APIs.
Use a token with the minimum needed scope if available, keep it out of chat logs and shared terminals, and revoke or rotate it if exposed.
If invoked, the agent can change a device alias in the FTTRAI account.
The skill includes a limited state-changing operation. It is clearly disclosed and scoped to a device alias, so this is a user-notice item rather than a concern.
`update_device_alias`: Update a device alias. This writes to FTTRAI state.
Confirm the target device and new alias before asking the agent to run this tool.
A misconfigured or untrusted FTTRAI_RPC_URL could send the token and returned device data to the wrong service, especially over plaintext HTTP.
The RPC endpoint can be overridden and may use HTTP as well as HTTPS. Because API calls use the bearer token, an unsafe endpoint setting could expose credentials or device data.
if (!["http:", "https:"].includes(parsedUrl.protocol)) { ... "FTTRAI_RPC_URL 只支持 http 或 https" }Leave the default HTTPS endpoint unless you trust the replacement endpoint, and avoid HTTP URLs for real credentials.
Users have less external context for verifying the publisher or upstream project before giving it a cloud-control token.
The registry metadata does not provide an upstream source or homepage. This is a provenance gap, though the included runtime code is small and purpose-aligned.
Source: unknown; Homepage: none
Verify the publisher and token scope through trusted FTTRAI/OpenClaw channels before installing in a sensitive environment.