Back to skill

Security audit

Unifi

Security checks across malware telemetry and agentic risk

Overview

This UniFi monitoring skill is mostly purpose-aligned, but it automatically saves sensitive network inventory and raw debug data locally without clear user control or disclosure.

Review before installing on a sensitive network. Use a dedicated least-privilege UniFi account if possible, restrict permissions on the credential file, understand that TLS certificate verification is disabled by default, and inspect or remove the generated inventory/debug files if you do not want network details retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions even though its documented behavior clearly requires shell execution and outbound network access. Missing permission declarations weaken review and enforcement boundaries, making it easier for a supposedly simple monitoring skill to run commands and contact systems without explicit user or platform scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill presents itself as read-only status monitoring, but the reported behavior includes collecting sensitive configuration data such as SSIDs, firewall rules, port forwards, routing, and network configuration, plus writing persistent local inventory/debug files. This mismatch is dangerous because users may consent to routine monitoring while unknowingly exposing much more sensitive infrastructure data and creating local artifacts that can leak or persist beyond the session.

Context-Inappropriate Capability

Low
Confidence
71% confidence
Finding
The README instructs users to create a local admin account for a skill described as read-only monitoring, which grants broader privileges than necessary if those credentials are later exposed or misused. In context, this increases blast radius because the documentation normalizes elevated access for routine monitoring and pairs it with API usage against a local gateway.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script is framed as a monitoring dashboard, but it also collects and persists sensitive configuration and inventory data including devices, clients, networks, WLANs, port forwards, firewall rules, routes, and system info. In a local agent-skill context, silently writing this material to a fixed path in the user's home directory expands data exposure beyond the immediate request and can leak internal topology and security posture to other local processes or later prompts.

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The debug block writes aggregated UniFi API responses to dashboard_debug_dump.json as a side effect, without user consent or any access controls. Those responses can contain client identities, network names, subnets, and configuration details, creating an unnecessary local data-at-rest exposure that is especially risky for troubleshooting artifacts that may be forgotten or shared.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that the scripts use curl -k to skip TLS certificate verification, which defeats authentication of the gateway and enables man-in-the-middle interception of credentials and API responses. This is especially risky because the skill handles usernames and passwords for a local admin account, so the combination of privileged credentials and disabled certificate validation materially weakens transport security.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file documents authenticated UniFi endpoints that return sensitive operational and administrative data, including user identity, site inventory, device status, clients, and admin information, but it does not clearly warn that using them requires privileged access and may expose private network details. In a monitoring skill, this increases the chance that an agent will retrieve and surface sensitive data to a user or log it without appropriate consent, scoping, or minimization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented read-only endpoints include especially sensitive sources such as DPI traffic metadata, client inventories, firewall rules, RADIUS profiles/accounts, and port forwards. Even without mutation, these can reveal user behavior, internal topology, authentication-related details, and defensive posture, which materially increases privacy and reconnaissance risk if the skill over-collects or exposes results.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes a network inventory report to $HOME/clawd/memory/bank/unifi-inventory.md without any user-facing warning, even though the skill description suggests a status/query function rather than durable collection. Persisting internal device, client, and configuration information without disclosure violates least surprise and increases the chance of unintended retention, later exfiltration, or access by other tools using that memory path.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The undeclared debug JSON write is a non-obvious side effect that stores raw collected API data locally without warning. Because this is raw JSON rather than a minimized report, it likely contains more sensitive detail than the displayed dashboard and therefore increases the blast radius of accidental disclosure or compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The login request sends credentials with curl using the -k flag, which disables TLS certificate verification. That allows a man-in-the-middle on the network to intercept or modify the HTTPS connection and capture the UniFi username and password, making the authenticated transmission materially unsafe in practice.

External Transmission

Medium
Category
Data Exfiltration
Content
payload=$(jq -nc --arg username "$UNIFI_USER" --arg password "$UNIFI_PASS" '{username:$username,password:$password}')
  
  # Try login
  curl -sk -c "$cookie_file" \
    -H "Content-Type: application/json" \
    -X POST \
    "$UNIFI_URL/api/auth/login" \
Confidence
97% confidence
Finding
curl -sk -c "$cookie_file" \ -H "Content-Type: application/json" \ -X POST \ "$UNIFI_URL/api/auth/login" \ --data

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.