Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Unifly
v0.8.1This skill should be used when the user asks to "manage UniFi devices", "configure UniFi networks", "create a VLAN", "provision an SSID", "create firewall ru...
⭐ 0· 78·1 current·1 all-time
byStefanie Jane@hyperb1iss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the delivered artifacts: the SKILL.md documents the unifly CLI, its commands, auth modes, paths, and examples for UniFi management. There are no unrelated binaries, unusual permissions, or unexplained env var requests in the package metadata.
Instruction Scope
Runtime instructions focus on using the unifly CLI and manipulating UniFi controller objects (networks, WiFi, firewall, NAT, VPN, events, backups, etc.). Examples include piping live events to external webhooks (using $SLACK_WEBHOOK) and a device upgrade flag that accepts an arbitrary firmware URL (upgrade --url). Those behaviors are legitimate features for automation/alerting but can transmit controller-derived data externally or push non-vendor firmware if misused. The skill does not instruct reading unrelated system files or harvesting environment variables beyond standard controller config/env usage.
Install Mechanism
This is instruction-only (no install spec). SKILL.md recommends installing the upstream unifly binary via brew or cargo, which is a reasonable, typical user action and not performed automatically by the skill package itself.
Credentials
The skill declares no required environment variables or credentials. The documentation references common patterns (UNIFI_* envs, storing API keys in the OS keyring, and examples that use a $SLACK_WEBHOOK), which are proportional to a UniFi management tool. Note: a few example payload files include literal example secrets (e.g., WiFi passphrase 'IoTSecure2024!') — these are sample values and not required by the skill, but could mislead users into shipping weak/default creds.
Persistence & Privilege
The skill does not request elevated platform persistence; always:false and default autonomous-invocation settings are normal. It does not modify other skills or global agent configuration.
Scan Findings in Context
[no-findings] expected: The regex scanner found no code-level matches. This is expected because the package is instruction-only and contains no executable code files for the scanner to analyze.
Assessment
This skill is coherent for managing UniFi controllers using the unifly CLI. Before installing/using it: 1) only run the recommended install commands from trusted sources (official GitHub releases or your package manager); 2) never paste real controller credentials into example files—use the OS keyring or env vars as documented; 3) review automation examples that forward events to external webhooks (they will transmit controller event data to whatever webhook you configure); 4) be cautious with 'device upgrade --url' or raw API passthrough: these can be used to side‑load firmware or execute controller operations if pointed at untrusted endpoints; and 5) limit autonomous invocation or credential exposure if you do not want agents to run network-changing commands without explicit user approval.examples/config.toml:9
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
clivk97ec6mrk2spgk7q143t29mjrn846dzafirewallvk97ec6mrk2spgk7q143t29mjrn846dzainfrastructurevk97ec6mrk2spgk7q143t29mjrn846dzalatestvk97fv25mjp52hnz2203591c1xs84j65dnetworkingvk97ec6mrk2spgk7q143t29mjrn846dzarustvk97ec6mrk2spgk7q143t29mjrn846dzatuivk97ec6mrk2spgk7q143t29mjrn846dzaubiquitivk97ec6mrk2spgk7q143t29mjrn846dzaunifivk97ec6mrk2spgk7q143t29mjrn846dzawifivk97ec6mrk2spgk7q143t29mjrn846dza
License
MIT-0
Free to use, modify, and redistribute. No attribution required.