v1.0.3

Unifi Inforjota Integration

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:11 AM.

Analysis

The skill is mostly coherent read-only UniFi monitoring, but review is warranted because its docs request high-privilege admin credentials and its helper can make broad authenticated gateway reads.

GuidanceReview before installing. Prefer a least-privileged UniFi integration API key, do not store a local admin password unless you deliberately need it, protect the config file, and be aware that the skill can display sensitive network details such as client names, IPs, MAC addresses, WLAN names, alarms, and traffic/DPI data.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/unifi-api.sh

curl -sk ... -H "X-API-KEY: $UNIFI_TOKEN" ... "$UNIFI_URL$path" ... /*) unifi_request "$endpoint" ;;

The helper sends the API key to any slash-prefixed path on the configured UniFi gateway, rather than limiting access to the documented monitoring endpoints. The same request also disables TLS certificate verification with -k.

User impactA broad or mistaken raw request could retrieve sensitive UniFi configuration data beyond the normal dashboard/device/client views, and the token is sent without certificate verification.

RecommendationRestrict raw endpoint access to an allowlist of intended read-only paths, require explicit user confirmation for raw requests, redact sensitive fields, and prefer certificate validation or certificate pinning where possible.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Required binaries ... none; Env var declarations: none; Primary credential: none; Required config paths: none; No install spec — this is an instruction-only skill.

The packaged scripts rely on local shell tooling and a UniFi credential config file, but the registry metadata does not declare those requirements. This is not hidden remote code execution, but it makes the setup and credential contract less clear.

User impactInstallation may appear to require no credentials or tools even though the scripts need a configured UniFi token and local utilities such as curl and jq.

RecommendationDeclare the required credential/config path and command-line dependencies in metadata so users can review the access being granted before installation.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

README.md

Create a new local admin ... Note the username and password ... "username": "api", "password": "your-password-here"

This directs users to create and store UniFi local admin credentials even though the skill is described and implemented around X-API-KEY monitoring. A local admin password is broader, high-impact authority for a read-only monitoring task.

User impactYou could unnecessarily place a powerful UniFi admin password in a local credential file used by the skill.

RecommendationUse a least-privileged UniFi integration API key only. Remove or clearly mark username/password setup as obsolete or optional, and protect any credential file with restrictive permissions.