Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Omada Viewer
v1.0.2Read-only diagnostics for TP-Link Omada SDN controllers via the Open API. Use when inspecting Omada devices, clients, VLANs, LAN networks, WAN status, router...
⭐ 0· 66·0 current·0 all-time
by@imjuff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match the included scripts and endpoint references: it is a read-only Omada Open API viewer. However the registry metadata claims no required env vars / primary credential while SKILL.md and the scripts require OMADA_URL, OMADA_CLIENT_ID, and OMADA_CLIENT_SECRET — a mismatch between declared metadata and actual capability requirements.
Instruction Scope
Runtime instructions limit activity to querying the user's Omada controller over HTTPS and running the included Python scripts. The SKILL.md explicitly recommends Viewer role and warns not to paste secrets in chat. The instructions and scripts do not direct data to third-party endpoints or attempt to read unrelated local files; they only read environment variables and call the controller APIs.
Install Mechanism
There is no install spec and no external downloads; all code is bundled in the skill (two scripts and reference docs). That minimizes install-time risk — nothing is fetched from arbitrary URLs or written automatically to system locations.
Credentials
The scripts legitimately need controller credentials (OMADA_URL, OMADA_CLIENT_ID, OMADA_CLIENT_SECRET) and optional OMADA_OMADAC_ID, OMADA_SITE, OMADA_VERIFY_SSL. Those requested secrets are proportionate to the stated purpose. The concern is the registry metadata failing to declare these required env vars/primary credential, which may mislead users into installing without realizing they must supply sensitive credentials.
Persistence & Privilege
The skill does not request permanent presence (always is false), does not modify other skills or global agent settings, and has no elevated platform privileges. It only runs as a user-invoked Python script using environment variables the user provides.
What to consider before installing
This package largely does what it claims (read-only Omada diagnostics) but before installing or running it: 1) Treat OMADA_CLIENT_SECRET and related values as secrets — don't paste them into chat; set them as environment variables on a local machine you control. 2) Expect the repository/registry metadata to be incorrect about required env vars — SKILL.md and the scripts do require OMADA_URL, OMADA_CLIENT_ID, and OMADA_CLIENT_SECRET. 3) Inspect the included scripts locally (they're bundled) and run them in a safe environment; there are a few code-quality bugs (inconsistent JSON access and broad exception handling) that could conceal errors. 4) Use a Viewer-scoped API app in Omada (no admin privileges). 5) If you plan to let an autonomous agent invoke this skill, be cautious because the agent would have network access to your controller; prefer to run the scripts manually until you verify behavior. 6) Ask the publisher to correct the registry metadata to list the required environment variables so the requirements are explicit.Like a lobster shell, security has layers — review code before you run it.
diagnosticsvk974538pa1ptrkz05bb0a7csnh83wphylatestvk972y7mh05s68pbfkekk993xc183xtkvnetworkingvk972y7mh05s68pbfkekk993xc183xtkvomadavk972y7mh05s68pbfkekk993xc183xtkvread-onlyvk972y7mh05s68pbfkekk993xc183xtkvtplinkvk972y7mh05s68pbfkekk993xc183xtkv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.