LibreNMS
ReviewAudited by ClawScan on May 17, 2026.
Overview
This appears to be a disclosed LibreNMS integration that needs an API token and offers gated alert/maintenance writes; use a least-privilege token and avoid insecure TLS outside a trusted lab.
Install only if you want an agent to access your LibreNMS instance. Configure a read-only token first, upgrade to write access only if you need alert acknowledgement, unmute, or maintenance tools, and keep insecure TLS disabled unless you are in a trusted self-signed lab environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a high-privilege LibreNMS token, the agent may be able to read monitoring data and perform allowed write actions against your monitoring system.
The skill needs a LibreNMS API token, and the documentation acknowledges that token scope may range from read-only to global read/write. This is purpose-aligned, but the token determines how much authority the agent receives.
LIBRENMS_TOKEN=<your-api-token> ... **API token scope recommendation:** start with a "Read Only" token role ... Grade up to "Normal User" or "Global Read/Write" only after...
Start with a read-only LibreNMS token. Only use a write-capable token if you need the write tools, and revoke or rotate the token if you no longer need the integration.
With a write-capable token, tool use could change alert or maintenance state in LibreNMS.
The skill exposes scoped write tools that can acknowledge/unmute alerts or set maintenance state. These are disclosed and gated, but they can still change monitoring behavior.
**Safe writes (3, require `confirm: true`):** `librenms_ack_alert`, `librenms_unmute_alert`, `librenms_set_maintenance`.
Keep write access disabled unless needed, and require an explicit user decision before allowing calls with `confirm: true`.
If enabled on an untrusted network, an attacker could impersonate the LibreNMS server and potentially observe API traffic, including the token.
When the documented insecure TLS option is enabled, HTTPS certificate verification is disabled for the LibreNMS connection. This is disclosed for self-signed homelab deployments but weakens transport security.
this.dispatcher = new UndiciAgent({ connect: { rejectUnauthorized: false } });Leave `LIBRENMS_TLS_INSECURE=false` unless you are connecting to a trusted self-signed LibreNMS instance in a controlled environment.