Asus Router
PassAudited by ClawScan on May 12, 2026.
Overview
This appears to be a legitimate Asus router management skill, but it needs router admin credentials and can expose local network details or reboot the router when explicitly commanded.
Install only if you are comfortable giving the skill access to your Asus router admin account. Protect config.yaml, use a virtual environment for dependencies, avoid sharing JSON/raw outputs publicly, and require explicit approval before allowing the agent to reboot the router.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the config file may be able to access the router with the configured account.
The skill requires and persists router admin credentials in a local configuration file. This is expected for managing the router, but the credentials can control a high-impact network device.
NEVER commit config.yaml — it contains your router credentials.
Keep config.yaml out of source control, restrict file permissions, prefer HTTPS local access when stable, and use the least-privileged router account available.
If run at the wrong time, the command could temporarily disconnect users and devices from the network.
The skill includes a router reboot operation that can disrupt the network, but it is clearly documented and gated behind an explicit confirmation flag.
python3 router.py reboot --confirm ... Requires `--confirm` flag. Causes 2-3 min downtime.
Only allow the agent to run reboot after a clear user request and awareness of the downtime.
Raw output could include sensitive local network details such as device identifiers, topology, VPN status, or configuration-like data exposed by the router API.
The raw command is an intentional escape hatch for router datasets. It is purpose-aligned, but it may print broad router and network details beyond the prettier built-in commands.
`raw` is intentionally included ... Dump any AsusData dataset by name
Use raw dumps only for diagnostics, review output before sharing it, and avoid posting router data publicly.
Installing unexpected or compromised package versions could affect the local environment where the skill runs.
The skill relies on external PyPI packages installed without version pins. This is normal for this kind of integration, but it leaves dependency provenance and version selection to the user environment.
pip install asusrouter aiohttp
Install in a virtual environment, use trusted package indexes, and consider pinning known-good versions for long-term use.
Local device names, presence information, MAC addresses, and IP addresses may appear in command output and chat history.
The clients command surfaces device names, MAC addresses, and IP addresses from the router. This is central to the skill, but those values may enter the agent conversation as sensitive retrieved context.
'name': desc.name or 'Unknown', 'mac': mac, 'ip': conn.ip_address
Treat router output as private network information, and do not treat device names or other router-provided labels as instructions.