ClawHub
Back to skill
v1.0.0

Fing Local API

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:24 AM.

Analysis

This is a coherent read-only Fing Local API helper, but it uses an API key and can reveal private network inventory and presence data.

GuidanceThis skill appears safe for its stated read-only Fing Local API purpose. Before installing, make sure you are comfortable giving the agent access to Fing network inventory and presence data, keep FING_API_KEY private, verify the configured Fing host is trusted, and prefer summarized outputs unless detailed troubleshooting is necessary.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Raw API wrapper for debugging ... devices --raw ... Do not expose full MAC/IP/name inventories outside Igor's direct context.

The skill can retrieve detailed inventory data, including raw responses, and the documentation acknowledges that full MAC/IP/name inventories are sensitive.

User impactDetailed output could reveal private home or lab network structure if copied into shared chats, tickets, or logs.
RecommendationPrefer the summary command, request full device or raw output only when needed, and avoid sharing detailed inventory outside the intended private context.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/fing_helper.py
parser.add_argument("--api-key", default=os.getenv("FING_API_KEY")); params = urllib.parse.urlencode({"auth": api_key})

The helper requires a Fing API key and sends it as the Local API authentication parameter. This is purpose-aligned, but the key grants access to private local network data.

User impactAnyone with the key can query the Fing Local API for device and presence information available to that agent.
RecommendationUse a dedicated Fing API key, keep it out of logs and shared command history, and verify FING_API_HOST points only to the intended local or LAN Fing agent.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
scripts/fing_helper.py
"name": d.get("name") ... "displayName": (p.get("contactInfo") or {}).get("displayName")

Device names and contact display names from the local network are placed into the agent's context. These fields should be treated as data, not as instructions.

User impactA device or contact name could contain misleading text, and private names may become visible in the conversation.
RecommendationTreat all API-returned names as untrusted data and avoid storing, reusing, or following any instruction-like text that appears in device or contact fields.