Asus Router
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: asus-router Version: 1.1.0 The asus-router skill is a legitimate management tool for AsusWRT-based routers using the 'asusrouter' Python library. It provides comprehensive monitoring and control features, including status checks, client listing, and reboot capabilities, all of which align with its stated purpose. The code handles configuration securely via local files or environment variables and uses safe subprocess execution for network diagnostics (router.py).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the config file may be able to access the router with the configured account.
The skill requires and persists router admin credentials in a local configuration file. This is expected for managing the router, but the credentials can control a high-impact network device.
NEVER commit config.yaml — it contains your router credentials.
Keep config.yaml out of source control, restrict file permissions, prefer HTTPS local access when stable, and use the least-privileged router account available.
If run at the wrong time, the command could temporarily disconnect users and devices from the network.
The skill includes a router reboot operation that can disrupt the network, but it is clearly documented and gated behind an explicit confirmation flag.
python3 router.py reboot --confirm ... Requires `--confirm` flag. Causes 2-3 min downtime.
Only allow the agent to run reboot after a clear user request and awareness of the downtime.
Raw output could include sensitive local network details such as device identifiers, topology, VPN status, or configuration-like data exposed by the router API.
The raw command is an intentional escape hatch for router datasets. It is purpose-aligned, but it may print broad router and network details beyond the prettier built-in commands.
`raw` is intentionally included ... Dump any AsusData dataset by name
Use raw dumps only for diagnostics, review output before sharing it, and avoid posting router data publicly.
Installing unexpected or compromised package versions could affect the local environment where the skill runs.
The skill relies on external PyPI packages installed without version pins. This is normal for this kind of integration, but it leaves dependency provenance and version selection to the user environment.
pip install asusrouter aiohttp
Install in a virtual environment, use trusted package indexes, and consider pinning known-good versions for long-term use.
Local device names, presence information, MAC addresses, and IP addresses may appear in command output and chat history.
The clients command surfaces device names, MAC addresses, and IP addresses from the router. This is central to the skill, but those values may enter the agent conversation as sensitive retrieved context.
'name': desc.name or 'Unknown', 'mac': mac, 'ip': conn.ip_address
Treat router output as private network information, and do not treat device names or other router-provided labels as instructions.